L3 Conntrack Helper Extension

Introduces a new API extension exposing conntrack_helpers
field in Router response. The extension requires the
``router`` and ``conntrack_helper`` service plugin.

Related-Bug: #1823633
Change-Id: I55d659c47f3e9a65af78509fbd63416373a501f3
This commit is contained in:
Harald Jensås 2019-04-04 02:12:34 +02:00
parent 3fd0a3c4d7
commit c6b907a2cf
21 changed files with 646 additions and 5 deletions

View File

@ -26,6 +26,7 @@ Layer 2 Networking
Layer 3 Networking
##################
.. include:: address-scopes.inc
.. include:: l3-conntrack-helper.inc
.. include:: floatingips.inc
.. include:: floatingippools.inc
.. include:: fip-port-forwarding.inc

View File

@ -0,0 +1,212 @@
.. -*- rst -*-
==========================================
Routers Conntrack Helper (CT) target rules
==========================================
Lists, creates, shows details for, updates, and deletes router conntrack helper
(CT) target rules.
Show conntrack helper
=====================
.. rest_method:: GET /v2.0/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
Shows information for a router conntrack helper.
Use the ``fields`` query parameter to control which fields are returned in the response body.
For information, see `Filtering and Column Selection <https://wiki.openstack.org/wiki/Neutron/APIv2
-specification#Filtering_and_Column_Selection>`__.
Normal response codes: 200
Error response codes: 400, 404
Request
-------
.. rest_parameters:: parameters.yaml
- router_id: router_id
- conntrack_helper_id: conntrack_helper_id-path
- fields: fields
Response Parameters
-------------------
.. rest_parameters:: parameters.yaml
- conntrack_helper: conntrack_helper
- helper: conntrack_helper_helper-body
- id: conntrack_helper_id-body
- protocol: conntrack_helper_protocol-body
- port: conntrack_helper_port-body
Response Example
----------------
.. literalinclude:: samples/conntrack_helpers/conntrack-helper-show-response.json
:language: javascript
Update a conntrack helper
=========================
.. rest_method:: PUT /v2.0/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
Updates a router conntrack helper.
Normal response codes: 200
Error response codes: 400, 404
Request
-------
.. rest_parameters:: parameters.yaml
- router_id: router_id
- conntrack_helper_id: conntrack_helper_id-path
- helper: conntrack_helper_helper-update
- protocol: conntrack_helper_protocol-update
- port: conntrack_helper_port-update
Request Example
---------------
.. literalinclude:: samples/conntrack_helpers/conntrack-helper-update-request.json
:language: javascript
Response Parameters
-------------------
.. rest_parameters:: parameters.yaml
- conntrack_helper: conntrack_helper
- id: conntrack_helper_id-body
- helper: conntrack_helper_helper-body
- protocol: conntrack_helper_protocol-body
- port: conntrack_helper_port-body
Response Example
----------------
.. literalinclude:: samples/conntrack_helpers/conntrack-helper-update-response.json
:language: javascript
Delete a conntrack helper
=========================
.. rest_method:: DELETE /v2.0/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
Deletes a router conntrack helper.
Normal response codes: 204
Error response codes: 404
Request
-------
.. rest_parameters:: parameters.yaml
- router_id: router_id
- conntrack_helper_id: conntrack_helper_id-path
Response
--------
There is no body content for the response of a successful DELETE request.
List router conntrack helpers
=============================
.. rest_method:: GET /v2.0/routers/{router_id}/conntrack_helpers
Lists router conntrack helpers associated with a router.
Use the ``fields`` query parameter to control which fields are returned in the response body.
Additionally, you can filter results by using query string parameters.
For information, see `Filtering and Column Selection <https://wiki.openstack.org/wiki/Neutron/APIv2
-specification#Filtering_and_Column_Selection>`__.
Normal response codes: 200
Error response codes: 400, 404
Request
-------
.. rest_parameters:: parameters.yaml
- router_id: router_id
- id: id-query
- helper: conntrack_helper_helper-query
- protocol: conntrack_helper_protocol-query
- port: conntrack_helper_port-query
- sort_key: conntrack_helper-sort_key
- sort_dir: sort_dir
- fields: fields
Response Parameters
-------------------
.. rest_parameters:: parameters.yaml
- conntrack_helpers: conntrack_helpers
- id: conntrack_helper_id-body
- helper: conntrack_helper_helper-body
- protocol: conntrack_helper_protocol-body
- port: conntrack_helper_port-body
Response Example
----------------
.. literalinclude:: samples/conntrack_helpers/conntrack-helper-list-response.json
:language: javascript
Create conntrack helper
=======================
.. rest_method:: POST /v2.0/routers/{router_id}/conntrack_helpers
Creates a router conntrack helper.
Normal response codes: 201
Error response codes: 400, 404
Request
-------
.. rest_parameters:: parameters.yaml
- conntrack_helper: conntrack_helper
- router_id: router_id
- helper: conntrack_helper_helper-body
- protocol: conntrack_helper_protocol-body
- port: conntrack_helper_port-body
Request Example
---------------
.. literalinclude:: samples/conntrack_helpers/conntrack-helper-create-request.json
:language: javascript
Response Parameters
-------------------
.. rest_parameters:: parameters.yaml
- conntrack_helper: conntrack_helper
- id: conntrack_helper_id-body
- helper: conntrack_helper_helper-body
- protocol: conntrack_helper_protocol-body
- port: conntrack_helper_port-body
Response Example
----------------
.. literalinclude:: samples/conntrack_helpers/conntrack-helper-create-response.json
:language: javascript

View File

@ -43,6 +43,12 @@ connection_id-path:
in: path
required: true
type: string
conntrack_helper_id-path:
description: |
The ID of the conntrack helper.
in: path
required: true
type: string
dscp_rule_id:
description: |
The ID of the DSCP rule.
@ -401,6 +407,36 @@ cidr-query:
in: query
required: false
type: string
conntrack_helper-sort_key:
description: |
Sorts by a conntrack helper ID attribute. You can specify multiple pairs of
sort key and sort direction query parameters. The sort keys are limited to:
- ``id``
- ``helper``
- ``port``
- ``protocol``
in: query
required: false
type: string
conntrack_helper_helper-query:
description: |
Filter the list result by the used helper.
in: query
required: false
type: string
conntrack_helper_port-query:
description: |
Filter the list result by the used port.
in: query
required: false
type: integer
conntrack_helper_protocol-query:
description: |
Filter the list result by the used protocol.
in: query
required: false
type: string
default_prefixlen-query:
description: |
Filter the subnet pool list result by the size of the prefix to allocate
@ -2051,6 +2087,60 @@ connection_limit-response:
in: body
required: true
type: integer
conntrack_helper:
description: |
A router ``conntrack helper`` object.
in: body
required: true
type: object
conntrack_helper_helper-body:
description: |
The netfilter conntrack helper module.
in: body
required: true
type: string
conntrack_helper_helper-update:
description: |
The netfilter conntrack helper module.
in: body
required: false
type: string
conntrack_helper_id-body:
description: |
The ID of the conntrack helper.
in: body
required: true
type: string
conntrack_helper_port-body:
description: |
The network port for the netfilter conntrack target rule.
in: body
required: true
type: integer
conntrack_helper_port-update:
description: |
The network port for the netfilter conntrack target rule.
in: body
required: false
type: integer
conntrack_helper_protocol-body:
description: |
The network protocol for the netfilter conntrack target rule.
in: body
required: true
type: string
conntrack_helper_protocol-update:
description: |
The network protocol for the netfilter conntrack target rule.
in: body
required: false
type: string
conntrack_helpers:
description: |
A list of ``router conntrack helpers`` objects.
in: body
required: true
type: array
created_at_resource:
description: |
Time at which the resource has been created (in UTC ISO8601 format).
@ -5305,6 +5395,16 @@ router-availability_zones:
in: body
required: true
type: array
router-conntrack_helpers:
description: |
The associated conntrack helper resources for the roter. If the
router has multiple conntrack helper resources, this field has
multiple entries. Each entry consists of netfilter conntrack helper
(``helper``), the network protocol (``protocol``), the network port
(``port``).
in: body
required: true
type: array
router-destination:
description: |
The destination CIDR.

View File

@ -75,6 +75,13 @@ The ``standard-attr-tag`` adds Tag support for resources with
standard attributes by adding the ``tags`` attribute
allowing consumers to associate tags with resources.
L3 conntrack helpers extension (``expose-l3-conntrack-helper``)
===============================================================
The router conntrack helper extension (``expose-l3-conntrack-helper``) adds the
``conntrack_helpers`` field to routers, allowing configurable netfilter CT
target rules for ``routers``.
List routers
============
@ -144,6 +151,7 @@ Response Parameters
- created_at: created_at_resource
- updated_at: updated_at_resource
- tags: tags
- conntrack_helpers: router-conntrack_helpers
Response Example
----------------
@ -223,6 +231,7 @@ Response Parameters
- created_at: created_at_resource
- updated_at: updated_at_resource
- tags: tags
- conntrack_helpers: router-conntrack_helpers
Response Example
----------------
@ -282,6 +291,7 @@ Response Parameters
- created_at: created_at_resource
- updated_at: updated_at_resource
- tags: tags
- conntrack_helpers: router-conntrack_helpers
Response Example
----------------
@ -352,6 +362,7 @@ Response Parameters
- created_at: created_at_resource
- updated_at: updated_at_resource
- tags: tags
- conntrack_helpers: router-conntrack_helpers
Response Example
----------------

View File

@ -0,0 +1,7 @@
{
"conntrack_helper": {
"protocol": "udp",
"port": 2121,
"helper": "ftp"
}
}

View File

@ -0,0 +1,8 @@
{
"conntrack_helper": {
"protocol": "tcp",
"id": "32925de7-580e-4ca9-bfd7-c2c2cefbd2ad",
"helper": "ftp",
"port": 21
}
}

View File

@ -0,0 +1,16 @@
{
"conntrack_helpers": [
{
"protocol": "udp",
"id": "2fc1eebb-e0fa-4c40-868a-7ace444717e1",
"helper": "tftp",
"port": 6969
},
{
"protocol": "tcp",
"id": "ee7c890f-44fa-443d-9326-8574c1c3e5e1",
"helper": "ftp",
"port": 21
}
]
}

View File

@ -0,0 +1,8 @@
{
"conntrack_helper": {
"protocol": "tcp",
"id": "2fc1eebb-e0fa-4c40-868a-7ace444717e1",
"helper": "ftp",
"port": 21
}
}

View File

@ -0,0 +1,7 @@
{
"conntrack_helper": {
"helper": "tftp",
"protocol": "udp",
"port": 69
}
}

View File

@ -0,0 +1,8 @@
{
"conntrack_helper": {
"protocol": "udp",
"id": "2fc1eebb-e0fa-4c40-868a-7ace444717e1",
"helper": "tftp",
"port": 69
}
}

View File

@ -29,6 +29,7 @@
"project_id": "0bd18306d801447bb457a46252d82d13",
"tenant_id": "0bd18306d801447bb457a46252d82d13",
"service_type_id": null,
"tags": ["tag1,tag2"]
"tags": ["tag1,tag2"],
"conntrack_helpers": []
}
}

View File

@ -38,6 +38,7 @@
"project_id": "0bd18306d801447bb457a46252d82d13",
"tenant_id": "0bd18306d801447bb457a46252d82d13",
"service_type_id": null,
"tags": ["tag1,tag2"]
"tags": ["tag1,tag2"],
"conntrack_helpers": []
}
}

View File

@ -34,6 +34,7 @@
"project_id": "0bd18306d801447bb457a46252d82d13",
"tenant_id": "0bd18306d801447bb457a46252d82d13",
"service_type_id": null,
"tags": ["tag1,tag2"]
"tags": ["tag1,tag2"],
"conntrack_helpers": []
}
}

View File

@ -39,7 +39,19 @@
"project_id": "0bd18306d801447bb457a46252d82d13",
"tenant_id": "0bd18306d801447bb457a46252d82d13",
"service_type_id": null,
"tags": ["tag1,tag2"]
"tags": ["tag1,tag2"],
"conntrack_helpers": [
{
"protocol": "udp",
"helper": "tftp",
"port": 69
},
{
"protocol": "tcp",
"helper": "ftp",
"port": 21
}
]
},
{
"admin_state_up": true,
@ -75,7 +87,19 @@
"project_id": "0bd18306d801447bb457a46252d82d13",
"tenant_id": "0bd18306d801447bb457a46252d82d13",
"service_type_id": null,
"tags": ["tag1,tag2"]
"tags": ["tag1,tag2"],
"conntrack_helpers": [
{
"protocol": "udp",
"helper": "tftp",
"port": 69
},
{
"protocol": "tcp",
"helper": "ftp",
"port": 21
}
]
}
]
}

View File

@ -31,6 +31,7 @@ from neutron_lib.api.definitions import dns
from neutron_lib.api.definitions import dns_domain_ports
from neutron_lib.api.definitions import dvr
from neutron_lib.api.definitions import empty_string_filtering
from neutron_lib.api.definitions import expose_l3_conntrack_helper
from neutron_lib.api.definitions import expose_port_forwarding_in_fip
from neutron_lib.api.definitions import external_net
from neutron_lib.api.definitions import extra_dhcp_opt
@ -51,6 +52,7 @@ from neutron_lib.api.definitions import ip_allocation
from neutron_lib.api.definitions import ip_substring_port_filtering
from neutron_lib.api.definitions import l2_adjacency
from neutron_lib.api.definitions import l3
from neutron_lib.api.definitions import l3_conntrack_helper
from neutron_lib.api.definitions import l3_ext_gw_mode
from neutron_lib.api.definitions import l3_ext_ha_mode
from neutron_lib.api.definitions import l3_flavors
@ -133,6 +135,7 @@ _ALL_API_DEFINITIONS = {
dns_domain_ports,
dvr,
empty_string_filtering,
expose_l3_conntrack_helper,
expose_port_forwarding_in_fip,
external_net,
extra_dhcp_opt,
@ -153,6 +156,7 @@ _ALL_API_DEFINITIONS = {
l2_adjacency,
flowclassifier,
l3,
l3_conntrack_helper,
l3_ext_gw_mode,
l3_ext_ha_mode,
l3_flavors,

View File

@ -91,6 +91,7 @@ KNOWN_EXTENSIONS = (
'dns-integration',
'dvr',
'empty-string-filtering',
'expose-l3-conntrack-helper',
'expose-port-forwarding-in-fip',
'ext-gw-mode',
'external-net',
@ -103,6 +104,7 @@ KNOWN_EXTENSIONS = (
'floatingip-autodelete-internal',
'floatingip-pools',
'ip-substring-filtering',
'l3-conntrack-helper',
'l3-ha',
'l3_agent_scheduler',
'l3-port-ip-change-not-allowed',

View File

@ -0,0 +1,42 @@
# Copyright (c) 2019 OpenStack Foundation
# All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron_lib.api.definitions import l3
from neutron_lib.api.definitions import l3_conntrack_helper
ALIAS = "expose-l3-conntrack-helper"
IS_SHIM_EXTENSION = False
IS_STANDARD_ATTR_EXTENSION = False
NAME = 'Expose CT target rules for conntrack helper'
API_PREFIX = ''
DESCRIPTION = 'Expose allow adding CT target rules for conntrack helper'
UPDATED_TIMESTAMP = '2019-04-04T10:00:00-00:00'
RESOURCE_NAME = l3.ROUTER
COLLECTION_NAME = l3.ROUTERS
RESOURCE_ATTRIBUTE_MAP = {
COLLECTION_NAME: {
l3_conntrack_helper.COLLECTION_NAME: {
'allow_post': False,
'allow_put': False,
'is_visible': True,
'default': None
}
}
}
SUB_RESOURCE_ATTRIBUTE_MAP = {}
ACTION_MAP = {}
REQUIRED_EXTENSIONS = [l3.ALIAS, l3_conntrack_helper.ALIAS]
OPTIONAL_EXTENSIONS = []
ACTION_STATUS = {}

View File

@ -0,0 +1,127 @@
# Copyright (c) 2019 OpenStack Foundation
# All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron_lib.api import converters
from neutron_lib.api.definitions import l3
from neutron_lib.api import validators
from neutron_lib import constants
from neutron_lib.db import constants as db_const
PROTOCOLS = constants.IPTABLES_PROTOCOL_MAP.keys()
# The alias of the extension.
ALIAS = 'l3-conntrack-helper'
# Whether or not this extension is simply signaling behavior to the user
# or it actively modifies the attribute map.
IS_SHIM_EXTENSION = False
# Whether the extension is marking the adoption of standardattr model for
# legacy resources, or introducing new standardattr attributes. False or
# None if the standardattr model is adopted since the introduction of
# resource extension.
# If this is True, the alias for the extension should be prefixed with
# 'standard-attr-'.
IS_STANDARD_ATTR_EXTENSION = False
# The name of the extension.
NAME = 'L3 Conntrack helper'
# A prefix for API resources. An empty prefix means that the API is going
# to be exposed at the v2/ level as any other core resource.
API_PREFIX = '/' + l3.ROUTERS
# The description of the extension.
DESCRIPTION = "Allow adding CT target rules for conntrack helper"
# A timestamp of when the extension was introduced.
UPDATED_TIMESTAMP = "2019-04-04T10:00:00-00:00"
# The name of the resource.
RESOURCE_NAME = 'conntrack_helper'
# The plural for the resource.
COLLECTION_NAME = 'conntrack_helpers'
# parent
PARENT_RESOURCE_NAME = l3.ROUTER
PARENT_COLLECTION_NAME = l3.ROUTERS
ID = 'id'
PROJECT_ID = 'project_id'
PROTOCOL = 'protocol'
PORT = 'port'
HELPER = 'helper'
RESOURCE_ATTRIBUTE_MAP = {}
# The subresource attribute map for the extension. It adds child resources
# to main extension's resource. The subresource map must have a parent and
# a parameters entry. If an extension does not need such a map, None can
# be specified (mandatory).
SUB_RESOURCE_ATTRIBUTE_MAP = {
COLLECTION_NAME: {
'parent': {'collection_name': PARENT_COLLECTION_NAME,
'member_name': PARENT_RESOURCE_NAME},
'parameters': {
ID: {'allow_post': False,
'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True,
'is_sort_key': True,
'is_filter': True},
PROJECT_ID: {'allow_post': True,
'allow_put': False,
'validate': {
'type:string': db_const.PROJECT_ID_FIELD_SIZE},
'required_by_policy': True,
'is_visible': False},
PROTOCOL: {'allow_post': True, 'allow_put': True,
'validate': {'type:values': PROTOCOLS},
'is_visible': True,
'convert_to': converters.convert_to_protocol,
'is_sort_key': True,
'is_filter': True},
PORT: {'allow_post': True, 'allow_put': True,
'convert_to': converters.convert_to_int,
'validate': {'type:range': [1, 65535]},
'is_visible': True,
'is_sort_key': True,
'is_filter': True},
HELPER: {'allow_post': True, 'allow_put': True,
'convert_to': converters.convert_to_string,
'validate': {'type:string': validators.validate_string},
'is_visible': True,
'is_sort_key': True,
'is_filter': True},
}
}
}
# The action map: it associates verbs with methods to be performed on
# the API resource.
ACTION_MAP = {
}
# The action status.
ACTION_STATUS = {
}
# The list of required extensions.
REQUIRED_EXTENSIONS = [l3.ALIAS]
# The list of optional extensions.
OPTIONAL_EXTENSIONS = [
]

View File

@ -0,0 +1,24 @@
# Copyright (c) 2019 OpenStack Foundation
# All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron_lib.api.definitions import expose_l3_conntrack_helper
from neutron_lib.api.definitions import l3_conntrack_helper
from neutron_lib.tests.unit.api.definitions import base
class ExposeL3ConntrackHelperDefinitionTestCase(base.DefinitionBaseTestCase):
extension_module = expose_l3_conntrack_helper
extension_resources = (expose_l3_conntrack_helper.COLLECTION_NAME,)
extension_attributes = (l3_conntrack_helper.COLLECTION_NAME,)

View File

@ -0,0 +1,28 @@
# Copyright (c) 2019 OpenStack Foundation
# All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron_lib.api.definitions import l3_conntrack_helper
from neutron_lib.tests.unit.api.definitions import base
class ConntrackHelperDefinitionTestCase(base.DefinitionBaseTestCase):
extension_module = l3_conntrack_helper
extension_resources = (l3_conntrack_helper.PARENT_COLLECTION_NAME,)
extension_attributes = (l3_conntrack_helper.ID,
l3_conntrack_helper.PROTOCOL,
l3_conntrack_helper.PORT,
l3_conntrack_helper.HELPER,
l3_conntrack_helper.PROJECT_ID)
extension_subresources = (l3_conntrack_helper.COLLECTION_NAME,)

View File

@ -0,0 +1,9 @@
---
features:
- |
The ``l3-conntrack-helper`` API definition for ``Router`` is introduced,
which allows conntrack helper target rules to be set for a ``Router``.
- |
Introduced ``expose-l3-conntrack-helper`` API extension for exposing
``conntrack_helpers`` field in ``Router`` API response. This extension
requires the ``router`` and ``conntrack_helper`` service plugins.