Commit Graph

652 Commits

Author SHA1 Message Date
elajkat 625b6526ca Bump hacking
hacking 3.0.x is too old.
Try to synchronize pylint ignore and extension list with
other Networking projects.

With new pip the order of packages is not relevant, so the
related comment from requirements.txts is removed, see pip
documentation:
https://pip.pypa.io/en/stable/cli/pip_install/#installation-order

Change-Id: I99a2d30149088d3d71d56351d180e665c38686ef
2024-02-09 09:58:16 +00:00
Takashi Kajinami 75228edb41 Remove usage of LBaaS constants
This removed usage of LBaaS constants from unit tests. LBaaS was
retired some time ago and these constants will be removed.

Change-Id: I2951c866cdfbd88bcba9fb8d299f592cd6a44dff
2023-11-30 11:01:52 +09:00
Rodolfo Alonso Hernandez cfa0b34476 [sqlalchemy-20] Replace the context writer/reader
This patch replaces the old DB contexts and removes the subtransactions.

Change-Id: I9ac48eeba9f7d5d01153edb4b2f3341008ac2e01
2023-10-16 09:17:29 +00:00
Zuul 3fcf1b8246 Merge "Firewall group associated with ports is not allowed to be deleted" 2023-09-12 14:20:58 +00:00
Xing Zhang 193d1e2766
Use unittest.mock instead of mock
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py38 and later, we can use the
standard lib unittest.mock module instead.

Change-Id: I009b6e65424ba3b662949baa1226fbf0ff14af80
2023-06-27 11:15:24 +08:00
Zuul a3efd32a86 Merge "[alembic] Alembic operations require keywords only arguments" 2023-06-02 18:49:44 +00:00
Zuul 768937b0d7 Merge "Remove Exception Definition in fwaas_v2 Extension" 2023-06-01 11:07:08 +00:00
Zuul 52539bc578 Merge "notify the plugin only on status updated" 2023-06-01 11:05:00 +00:00
Rodolfo Alonso Hernandez 925b31f6fc [alembic] Alembic operations require keywords only arguments
Since [1] (release 1.11.0), the Alembic operations "now enforce
keyword-only arguments as passed as keyword and not positionally"
(from the commit message).

This change is compatible with the previous versions (as confirmed
in the CI).

[1]df75e85489

Closes-Bug: #2019948
Change-Id: Iedf9a47a80a2775f73e7873ce3e55c4152d0f564
2023-06-01 10:05:56 +00:00
zhouhenglc 72ad4f96db notify the plugin only on status updated
If the status of the firewall group is consistent with the status
to be updated, there is no need to notify the plugin to update the
status.
The processing of the agent requires a certain amount of time. If
firewall group is updated during this period, updating the firewall
group status at this time may cause the firewall group to be in an
incorrect state.

Partial-Bug: #2021457

Change-Id: I316827259367d78d7dbb57888ad41408d44c43f6
2023-05-29 16:14:15 +08:00
zhouhenglc 5b56eaf3b0 Firewall group associated with ports is not allowed to be deleted
Currently, we determine that the firewall group is in use based on
its ACTIVE status. But the firewall group may have just updated
the port and is currently PENDING_UPDATE status, deletion should
not be allowed at this time.
This patch changes the judgment method for deleting firewall
groups, no longer based on their status. But like other neutron
resources, based on whether or not they are associated.

Closes-Bug: #2018967
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/883826

Change-Id: Ib7ab0daf9f6de45125ffc9408f865fc0964ff339
2023-05-29 16:04:32 +08:00
zhouhenglc 85c2966903 Remove Exception Definition in fwaas_v2 Extension
These exception definitions are already in neutral-lib.
And it has already been directly referenced in neutron lib
in the code.

Change-Id: I9f0d5efc3d86bdab97a188ea880780b19e2a7e43
2023-05-26 10:47:06 +08:00
liushy 3b4e1bdda1 Support standard_attrs for fwaas resources
Now, this patch will support standard_attrs for
firewall_group/firewall_rule/firewall_policy.

Closes-Bug: #1986906
Change-Id: Ib7b06d604a0950a104215bcf4386e14b77d20d12
2023-05-24 16:24:14 +00:00
Rodolfo Alonso Hernandez e479c1a1d6 Fix issues due to recent RBAC changes
Neutron recently merged a commit enabling secure rbacs by default
[1], breaking several unit tests of networking-fwaas.
This patch changes the necessary test calls to be admin and
requires neutron >= 23.0.0.0b2.

[1]670cc383e0

Related-Bug: #2019097
Change-Id: I60ad379f9fc94919581f461fd6a731cfe4baba30
2023-05-23 05:37:56 +02:00
Nurmatov Mamatisa 70d3174f8c Use neutron-lib policy rules
Change-Id: Iac29a8dd4888eaaf5ff833d840953a5b92bd56e8
2023-03-09 11:38:53 +03:00
elajkat 9aef6c4e03 [sqlalchemy-20] The Connection.connect() method is considered legacy
Change-Id: I5eaf60426e10c15ac16800ce1962d6690ff80f92
Related-Bug: #2008227
2023-02-24 17:02:17 +01:00
Zuul a88c4922c9 Merge "Add CONTEXT_WRITER to _get_default_fwg_id" 2023-02-16 00:41:02 +00:00
Zuul e18ff58141 Merge "Remove the convert_to functionality" 2023-02-15 12:07:11 +00:00
elajkat 054275813e Add CONTEXT_WRITER to _get_default_fwg_id
Change-Id: I8cc90dc564e9d4fb5637216619ea972bf9a4c417
Closes-Bug: #2006683
2023-02-15 11:52:41 +01:00
elajkat fc5531e978 Add get_firewall_groups_count method
In some logs before other SqlAlchemy tracebacks the missing of
this method is reported.

Change-Id: I36b2083ab3432080857d8ce97ea96f9b5acc87fe
Related-Bug: #2006683
2023-02-10 15:49:30 +01:00
elajkat 553e6b6411 Adopt to latest VlanManager and oslo.db changes
The work for making routed networks work with multiple segments per
host, introduced new signature for VlanManager.get, requesting
segmentation_id, make neutron-fwaas code compatible with it.

With oslo.db 12.1.0 some unit tests started to fail, with using the
CONTEXT_R/W session we can fix it.

Adopt dsvm-functional target name as [0] changed in Neutron, so the new
name of the target is dsvm-functional-gate.

[0]: https://review.opendev.org/c/openstack/neutron/+/856262

Change-Id: Ie7459974f6f2358c8d9c37e66aa9cda530ecefc0
Related-Bug: #1956435
Related-Bug: #1764738
2022-09-09 17:10:00 +02:00
yatinkarel 8233224338 Use ovs constants from neutron-lib
ovs constants are being dropped from neutron repo[1] as
those are available in neutron-lib since 2.19.0.
This patch updates minimum required version of neutron-lib
and switch to use ovs_constants from neutron-lib.

[1] https://review.opendev.org/c/openstack/neutron/+/797121
[2] https://review.opendev.org/c/openstack/neutron-lib/+/822131

Change-Id: Ida899e6fc709d3a946934e3ad5e20499380189de
2022-08-09 11:20:03 +05:30
zhangtongjian b126f4224a Remove usage of six
Remove six-library Replace the following items with Python 3 style code.
- six.six.add_metaclass
- six.PY2
- requirement.txt

Change-Id: Ib87394e41cdba7fc57e6ae6ed08ba1f84465441e
2022-07-27 12:46:16 +00:00
zhouhenglc d19b3c3717 Remove the convert_to functionality
'convert_to_string' has been added to neutron-lib and apply for
firewall-rule[1], we can remove in neutron-fwaas.

[1] https://review.opendev.org/c/openstack/neutron-lib/+/486133

Change-Id: I73a92dee952654bffa20620ede134acb5b28f95d
2022-06-03 14:49:28 +08:00
zhangtongjian e4555733d4 Remove usage of six
Remove six-library Replace the following items with Python 3 style code.
- six.iteritems
- six.string_types

Change-Id: I102520d28c9189a38cd1760b040eecdd4046b16f
2022-06-03 14:35:43 +08:00
elajkat b7be99c147 Remove "distutils" library
Library "distutils" will be marked as deprecated in Python 3.10:
https://peps.python.org/pep-0386/

This patch does the following replacements, that provide the same
functionality and API:
- distutils.spawn.find_executable -> shutil.which

Change-Id: Ib9cf36a70b6e5aba93f87e6be5c2636599166de2
Closes-Bug: #1973780
2022-05-24 11:23:35 +02:00
zhouhenglc ba0a036469 Add the corresponding DB context to all SQL transactions
Neutron code migrated to SQLAlchemy 2.0[1], the goal of this
patch is to make the fwaas plugin code compliant with
SQLAlchemy 2.0.

[1] https://review.opendev.org/c/openstack/neutron/+/833247

Related-Bug: #1964575

Change-Id: If3e996740d4b5024e9c798227d0a58ceb09eb1d6
2022-05-23 08:37:01 +08:00
Nguyen Thanh Cong 147116b7b1 Fix error when apply rule with dst port large than src port
When apply firewall group to a port with rule have dest port large than
source port, neutron-openvswitch-agent raise error 'port_max' is smaller
than 'port_min'. It because key 'port_range_max' is assigned by
source_port_range_max. Fix hard code 'port_range_max' to key_max.

Change-Id: I32d9efd857932547a13d275b8a4f294e03fe7535
Closes-Bug: #1869121
2022-05-05 02:04:29 +00:00
shanyunfan33 179019f82e remove unicode from code
remove unicode from code

Change-Id: I3e32aea0439f68e48c6ff178c50e8a91ac5415e4
2022-05-04 23:36:42 +00:00
maliangyi de8a4d4cfb Replace tearDown with addCleanup.
All setUp and tearDown methods must upcall using the super()
method.tearDown methods should be avoided and addCleanup calls
should be preferred[1].

[1] https://github.com/openstack/neutron/blob/master/HACKING.rst

Change-Id: Idef345a44cc9f926c61af342729736d1f9245036
2022-03-21 02:59:36 +00:00
ZhouHeng a9f26b81e2 revive neutron-fwaas project
This reverts commit caae7b6a6f.

Reason for revert:
Many users still need L3 firewalls and Inspur team wants to maintain
this project.
Neutron drivers team discussed the topic of the maintenance of
neutron-fwaas, and agreed to include neutron-fwaas again to Neutron
stadium[1].

Some updates have been made:
Remove use "autonested_transaction" method, see more [2]
Replace "neutron_lib.callbacks.registry.notify" with "registry.publish"
Replace rootwrap execution with privsep context execution.
Ensure db Models and migration scripts are sync, set table
firewall_group_port_associations_v2's two columns nullable=False

[1] https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-01-28-14.00.log.html#l-14
[2] https://review.opendev.org/c/openstack/neutron-lib/+/761728

Change-Id: I14f551c199d9badcf25b9e65c954c012326d27cd
2022-03-01 01:01:47 +00:00
Slawek Kaplonski caae7b6a6f Retire neutron-fwaas project
Governance change is proposed at [1] and project config patch is
proposed at [2]

[1] https://review.opendev.org/735828
[2] https://review.opendev.org/#/c/735812/

Change-Id: I561504160e5548c54d1af31821c3366ab34cf0ec
2020-06-16 12:38:31 +02:00
OpenStack Proposal Bot 94c0d54ded Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ifee70c64b57e39214980781ad0d64e7ecdf70eb1
2020-04-16 06:42:10 +00:00
zhanghao 330e233a40 Remove fwaas_v1 extensions
There are still related extensions of fwaas_v1 in
neutron-fwaas, it is necessary to remove them because
the fwaas_v1 code has been removed in the Stein cycle[1].

[1] https://review.opendev.org/#/c/616410/
Needed-By: https://review.opendev.org/#/c/692068/
Change-Id: I26d23c74123302ef167bd621acdafd9e0e02c6a0
Closes-bug: #1850602
2019-11-04 08:04:31 -05:00
qinhaizhong01 2b662f05e1 Remove unused import statement.
Change-Id: I2a35a23d02ff08ec4e7fa2396f9a6bedfd01e30f
2019-10-09 21:36:31 -04:00
Zuul c016427672 Merge "Add format string configuration for FWaaS v2 logging" 2019-10-08 10:42:42 +00:00
Yang Youseok 578b12f35e Add 'none' to L3AgentExtensionAPI due to API changes
L3AgentExtensionAPI now takes the new parameter 'router_factory'.
This API change breaks the test cases, so pass None to initialize
the class to aovid the failure.

Depends-On: https://review.openstack.org/#/c/620349/
Change-Id: Iaf3a8071eb6eec8c0c7240d1a0a5d057f7b152d2
2019-09-22 12:05:36 +00:00
Zuul 679bfb772d Merge "Ignore fwg which has no ports when restarting l3-agent" 2019-09-16 09:25:51 +00:00
Zuul 3c9d294471 Merge "Default firewall group rules from configuration file" 2019-09-12 17:22:07 +00:00
David Homolka f28c59df2b Default firewall group rules from configuration file
Add new options to neutron_fwaas.conf for using in Default firewall group
rules. Separate ingress and egress: action, source ipv4, source ipv6,
source port, destination ipv4, destination ipv6, destination port.
Shared options for ingress and egress: protocol, enabled and shared.

New options are used in _create_default_firewall_rules and default
value are same as before this change, ingress (deny all),
egress (allow all).

Change-Id: Ic48872f3b7dfd4a87065799b7d3656de3d06e4c3
Closes-Bug: #1799358
2019-09-11 11:07:59 +02:00
Zuul 070068941b Merge "Complete move of neutron-fwaas tempest tests to tempest plugin" 2019-08-19 10:26:46 +00:00
Nate Johnston 77e462428e Complete move of neutron-fwaas tempest tests to tempest plugin
As discussed in the neutron_ci meeting [1] the QA team would like to
move the tempest tests for the stadium projects from their repos to
repos specific to being tempest plugins. This is the second part of a two
stage move, by removing the tempest tests that were copied to the
neutron-tempest-plugin repo [2].

[1] http://eavesdrop.openstack.org/meetings/neutron_ci/2019/neutron_ci.2019-03-12-16.01.log.html#l-94
[2] https://etherpad.openstack.org/p/neutron_stadium_move_to_tempest_plugin_repo

Change-Id: If97f3fd7d105f12b69d41017de2d2ed4192ac223
2019-08-16 08:02:44 +00:00
zhanghao2 a7e85121f7 Ignore fwg which has no ports when restarting l3-agent
When restarting l3 agent, it will detect whether the
router is updated. If the port in the firewall group is
not updated, it will also change its status. This patch
skips updating the status of firewall group which has no ports.

Change-Id: Ife294430409a9fb2944917a28a08323f41c89c0d
Closes-Bug:#1783327
2019-07-30 10:01:15 -04:00
zhanghao2 3817119959 Fix bug when updating policy in firewall group
When updating only the policy in firewall group, the 'del-port-ids'
and 'add-port-ids' return empty list, which causes the fwg status
to be inactive and iptables in the router namespace are not changed.
This patch fixes the above problem.

Change-Id: I1a4bc0a8258fbbc340825cccb6d287c94304d3c5
Closes-Bug: #1836015
2019-07-23 06:31:53 -04:00
zhanghao2 e3c25d69b5 Add format string configuration for FWaaS v2 logging
If 'local_output_log_base' is specified, logging can use the
'logging_default_format_string' configuration in l3_agent.ini
like ovs firewall log. It can also set the log level based on
whether debug is enabled.

Change-Id: I7f10361b41acf58987399ea9e0c5720a9129a39b
2019-07-18 09:29:33 -04:00
zhanghao2 90a2707ccf Fix bug when removing a port from the firewall group
When removing a port from the firewall group, the last port is detected as
true or false based on the old port and the new port, but it ignores the
specific number of ports, which causes the fwg status to be inactive regardless
of whether there is a port after the firewall group is reset.

Change-Id: I887e06893f3e11031548767272e95afee40462d8
Closes-Bug: #1817455
2019-07-12 07:30:19 -04:00
Slawek Kaplonski d3efc3ed55 Fix list_entries for netlink_lib when running on py3
As privsep communicates with main process via socket, data passed
through this socket must be string type in Python 3. This patch
converts bytes to string, then privsep works correctly.

Change-Id: Ia6fa9a230853311849e327029ef7f0ad7d5d0451
2019-07-08 23:19:35 +02:00
Slawek Kaplonski 1ad1f78568 Fix sorting of filter rules in legacy_conntrack module
Rule tuples used there may contains None as elements sometimes.
In such case if None and str values are compared in python 3
TypeError exception is raised.
This patch fixes it by using helper function which replace
None values with empty string before list of tuples is sorted.

Change-Id: I3212851ce34047772c4f837631f519d656d366a7
2019-06-27 06:36:55 +00:00
Zuul cb075b40b1 Merge "Fix removing non-last port from the group" 2019-06-24 13:07:49 +00:00
Adit Sarfaty fbea371e65 Fix removing non-last port from the group
When a firewall group has few ports, and some of those are removed
the status of the firewall group should not become INACTIVE

Change-Id: Ie3c0538ca31af9abb1b8c1cc5e4f6c3df9b16a1c
Closes-Bug: #1832450
2019-06-12 11:18:39 +03:00