openstack
/
neutron-fwaas
Code Issues Proposed changes

FWaaS v2 utilize L3 Agent Extension framework 

This updates the FWaaS v2 L3 code to move away from an inheritance-based
model and use the new L3 agent extension framework.

This change rolls back [1] which is the inheritance-based model.

[1] https://review.openstack.org/315826

Partial-Implements: blueprint fwaas-api-2.0
Co-Authored-By: Nate Johnston <nate_johnston@cable.comcast.com>
Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net>
Depends-On: I85f89accbeefd820130335674fd56cb54f1449de

Change-Id: Ib29b96e73d09530cbf627a98180fb1a591e42e3f
This commit is contained in:
Margaret Frances 2016-08-15 13:26:30 -04:00 committed by Nate Johnston
parent b09e41243d
commit 6718fd8560
18 changed files with 301 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devstack/plugin.sh
View File

@ -35,6 +35,7 @@ function install_fwaas() {
function configure_fwaas() {
neutron_fwaas_configure_driver
iniset_multiline $Q_L3_CONF_FILE AGENT extensions fwaas
}
function init_fwaas() {

0
neutron_fwaas/cmd/__init__.py
View File

0
neutron_fwaas/cmd/eventlet/agents/__init__.py
View File

62
neutron_fwaas/cmd/eventlet/agents/fw.py
View File

@ -1,62 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import sys
from oslo_config import cfg
from oslo_service import service
from neutron.agent.common import config
from neutron.agent.l3 import ha
from neutron.agent.linux import external_process
from neutron.agent.linux import interface
from neutron.agent.linux import pd
from neutron.agent.linux import ra
from neutron.agent.metadata import config as metadata_config
from neutron.common import config as common_config
from neutron.common import topics
from neutron.conf.agent.l3 import config as l3_config
from neutron import service as neutron_service
from neutron_fwaas.services.firewall.agents import firewall_agent_api as fwa
FWAAS_AGENTS = {fwa.FWAAS_V1: ('neutron_fwaas.services.firewall.agents.'
'l3reference.firewall_l3_agent.L3WithFWaaS'),
fwa.FWAAS_V2: ('neutron_fwaas.services.firewall.agents.'
'l3reference.firewall_l3_agent_v2.L3WithFWaaS')}
def register_opts(conf):
conf.register_opts(l3_config.OPTS)
conf.register_opts(metadata_config.DRIVER_OPTS)
conf.register_opts(metadata_config.SHARED_OPTS)
conf.register_opts(ha.OPTS)
config.register_interface_driver_opts_helper(conf)
config.register_agent_state_opts_helper(conf)
conf.register_opts(interface.OPTS)
conf.register_opts(external_process.OPTS)
conf.register_opts(pd.OPTS)
conf.register_opts(ra.OPTS)
config.register_availability_zone_opts_helper(conf)
def main():
register_opts(cfg.CONF)
common_config.init(sys.argv[1:])
config.setup_logging()
manager = FWAAS_AGENTS[cfg.CONF.fwaas.agent_version]
server = neutron_service.Service.create(
binary='neutron-l3-agent',
topic=topics.L3_AGENT,
report_interval=cfg.CONF.AGENT.report_interval,
manager=manager)
service.launch(cfg.CONF, server).wait()

1
neutron_fwaas/common/fwaas_constants.py
View File

@ -16,4 +16,5 @@
# Constants for "topics"
FIREWALL_PLUGIN = 'q-firewall-plugin'
L3_AGENT = 'l3_agent'
FW_AGENT = 'firewall_agent'
FIREWALL_RULE_LIST = 'firewall_rule_list'

6
neutron_fwaas/cmd/eventlet/__init__.py → neutron_fwaas/common/resources.py
View File

@ -10,6 +10,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron.common import eventlet_utils
from neutron_fwaas.db.firewall.v2 import firewall_db_v2
eventlet_utils.monkey_patch()
FIREWALL_GROUP = firewall_db_v2.FirewallGroup
FIREWALL_POLICY = firewall_db_v2.FirewallPolicy
FIREWALL_RULE = firewall_db_v2.FirewallRuleV2

4
neutron_fwaas/extensions/firewall_v2.py
View File

@ -46,6 +46,10 @@ class FirewallGroupInPendingState(nexception.Conflict):
"%(firewall_id)s is in %(pending_state)s.")
class FirewallGroupPortInvalid(nexception.Conflict):
message = _("Firewall Group Port %(port_id)s is invalid")
class FirewallGroupPortInvalidProject(nexception.Conflict):
message = _("Firewall Group %(port_id)s in invalid Project")

115
neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent.py
View File

@ -13,8 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron.agent.l3 import agent
from neutron.agent.linux import ip_lib
from neutron.agent.l3 import l3_agent_extension
from neutron.common import rpc as n_rpc
from neutron import context
from neutron.plugins.common import constants as n_const
from oslo_config import cfg
@ -23,12 +23,16 @@ from oslo_log import log as logging
from neutron_fwaas._i18n import _, _LE
from neutron_fwaas.common import fwaas_constants as f_const
from neutron_fwaas.common import resources as f_resources
from neutron_fwaas.extensions import firewall as fw_ext
from neutron_fwaas.services.firewall.agents import firewall_agent_api as api
from neutron_fwaas.services.firewall.agents import firewall_service
LOG = logging.getLogger(__name__)
#TODO(njohnston): There needs to be some extrapolation of the common code
# between this module and firewall_l3_agent_v2.py.
class FWaaSL3PluginApi(api.FWaaSPluginApiMixin):
"""Agent side of the FWaaS agent to FWaaS Plugin RPC API."""
@ -49,14 +53,39 @@ class FWaaSL3PluginApi(api.FWaaSPluginApiMixin):
'get_tenants_with_firewalls', host=self.host)
class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
class FWaaSL3AgentExtension(l3_agent_extension.L3AgentCoreResourceExtension):
"""FWaaS Agent support to be used by Neutron L3 agent."""
SUPPORTED_RESOURCE_TYPES = [f_resources.FIREWALL_GROUP,
f_resources.FIREWALL_POLICY,
f_resources.FIREWALL_RULE]
def initialize(self, connection, driver_type):
self._register_rpc_consumers(connection)
def consume_api(self, agent_api):
LOG.debug("FWaaS consume_api call occurred with %s" % agent_api)
self.agent_api = agent_api
def _register_rpc_consumers(self, connection):
#TODO(njohnston): Add RPC consumer connection loading here.
pass
def start_rpc_listeners(self, conf):
self.endpoints = [self]
self.conn = n_rpc.create_connection()
self.conn.create_consumer(
f_const.FW_AGENT, self.endpoints, fanout=False)
return self.conn.consume_in_threads()
def __init__(self, host, conf):
LOG.debug("Initializing firewall agent")
self.agent_api = None
self.neutron_service_plugins = None
self.conf = conf
self.fwaas_enabled = cfg.CONF.fwaas.enabled
self.start_rpc_listeners(conf)
# None means l3-agent has no information on the server
# configuration due to the lack of RPC support.
@ -77,8 +106,7 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
self.services_sync_needed = False
# setup RPC to msg fwaas plugin
self.fwplugin_rpc = FWaaSL3PluginApi(f_const.FIREWALL_PLUGIN,
conf.host)
super(FWaaSL3AgentRpcCallback, self).__init__(host=conf.host)
host)
def _has_router_insertion_fields(self, fw):
return 'add-router-ids' in fw
@ -90,36 +118,24 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
return (fw['del-router-ids'] if to_delete
else fw['add-router-ids'])
else:
# we are in a upgrade and msg from older version of plugin
try:
routers = self.plugin_rpc.get_routers(context)
except Exception:
LOG.exception(
_LE("FWaaS RPC failure in _get_router_ids_for_fw "
"for firewall: %(fwid)s"),
{'fwid': fw['id']})
self.services_sync_needed = True
return [
router['id']
for router in routers
if router['tenant_id'] == fw['tenant_id']]
return [router['id'] for router in
self.agent_api.get_routers_in_project(fw['tenant_id'])]
def _get_routers_in_project(self, project_id):
if self.agent_api is None:
LOG.exception(_LE("FWaaS RPC call failed; L3 agent_api failure"))
router_info = self.agent_api._router_info
if project_id:
return [ri for ri in router_info.values()
if ri.router['tenant_id'] == project_id]
else:
return []
def _get_router_info_list_for_tenant(self, router_ids, tenant_id):
"""Returns the list of router info objects on which to apply the fw."""
root_ip = ip_lib.IPWrapper()
local_ns_list = root_ip.get_namespaces()
router_info_list = []
# Pick up namespaces for Tenant Routers
for rid in router_ids:
# for routers without an interface - get_routers returns
# the router - but this is not yet populated in router_info
if rid not in self.router_info:
continue
router_ns = self.router_info[rid].ns_name
if router_ns in local_ns_list:
router_info_list.append(self.router_info[rid])
return router_info_list
return [ri for ri in self._get_routers_in_project(tenant_id)
if ri.router_id in router_ids and
self.agent_api.is_router_in_namespace(ri.router_id)]
def _invoke_driver_for_sync_from_plugin(self, ctx, router_info_list, fw):
"""Invoke the delete driver method for status of PENDING_DELETE and
@ -165,17 +181,17 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
fw['id'],
status)
def _process_router_add(self, ri):
def _process_router_add(self, router):
"""On router add, get fw with rules from plugin and update driver."""
LOG.debug("Process router add, router_id: '%s'", ri.router['id'])
router_ids = ri.router['id']
LOG.debug("Process router add, router_id: '%s'", router['id'])
router_ids = router['id']
router_info_list = self._get_router_info_list_for_tenant(
[router_ids],
ri.router['tenant_id'])
router['tenant_id'])
if router_info_list:
# Get the firewall with rules
# for the tenant the router is on.
ctx = context.Context('', ri.router['tenant_id'])
ctx = context.Context('', router['tenant_id'])
fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
for fw in fw_list:
if self._has_router_insertion_fields(fw):
@ -190,7 +206,7 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
# router can be present only on one fw
return
def process_router_add(self, ri):
def add_router(self, context, new_router):
"""On router add, get fw with rules from plugin and update driver.
Handles agent restart, when a router is added, query the plugin to
@ -201,15 +217,26 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
if not self.fwaas_enabled:
return
try:
# TODO(sridar): as per discussion with pc_m, we may want to hook
# this up to the l3 agent observer notification
self._process_router_add(ri)
self._process_router_add(new_router)
except Exception:
LOG.exception(
_LE("FWaaS RPC info call failed for '%s'."),
ri.router['id'])
new_router['id'])
self.services_sync_needed = True
def update_router(self, context, updated_router):
"""The update_router method is just a synonym for add_router"""
self.add_router(context, updated_router)
def delete_router(self, context, new_router):
"""Handles router deletion. There is basically nothing to do for this
in the context of FWaaS with an IPTables driver; the namespace will
already have been deleted, taking the IPTables rules with it.
"""
#TODO(njohnston): When another firewall driver is implemented, look at
# expanding this out so that the driver can handle deletion calls.
pass
def process_services_sync(self, ctx):
if not self.services_sync_needed:
return
@ -403,9 +430,9 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
self.services_sync_needed = True
class L3WithFWaaS(FWaaSL3AgentRpcCallback, agent.L3NATAgentWithStateReport):
class L3WithFWaaS(FWaaSL3AgentExtension):
def __init__(self, host, conf=None):
def __init__(self, conf=None):
if conf:
self.conf = conf
else:

128
neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent_v2.py
View File

@ -13,8 +13,9 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron.agent.l3 import agent
from neutron.agent.l3 import l3_agent_extension
from neutron.agent.linux import ip_lib
from neutron.common import rpc as n_rpc
from neutron import context
from neutron.plugins.common import constants as n_const
from neutron_fwaas.common import fwaas_constants as f_const
@ -23,6 +24,7 @@ from oslo_log import helpers as log_helpers
from oslo_log import log as logging
from neutron_fwaas._i18n import _, _LE
from neutron_fwaas.common import resources as f_resources
from neutron_fwaas.extensions import firewall as fw_ext
from neutron_fwaas.services.firewall.agents import firewall_agent_api as api
from neutron_fwaas.services.firewall.agents import firewall_service
@ -67,15 +69,40 @@ class FWaaSL3PluginApi(api.FWaaSPluginApiMixin):
fwg_id=fwg_id, status=status, host=self.host)
class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
"""FWaaS agent support to be used by neutron's L3 agent."""
class FWaaSL3AgentExtension(l3_agent_extension.L3AgentCoreResourceExtension):
"""FWaaS agent extension."""
SUPPORTED_RESOURCE_TYPES = [f_resources.FIREWALL_GROUP,
f_resources.FIREWALL_POLICY,
f_resources.FIREWALL_RULE]
def initialize(self, connection, driver_type):
self._register_rpc_consumers(connection)
def consume_api(self, agent_api):
LOG.debug("FWaaS consume_api call occurred with %s" % agent_api)
self.agent_api = agent_api
def _register_rpc_consumers(self, connection):
#TODO(njohnston): Add RPC consumer connection loading here.
pass
def start_rpc_listeners(self, host, conf):
self.endpoints = [self]
self.conn = n_rpc.create_connection()
self.conn.create_consumer(
f_const.FW_AGENT, self.endpoints, fanout=False)
return self.conn.consume_in_threads()
def __init__(self, host, conf):
LOG.debug("Initializing firewall group agent")
self.agent_api = None
self.neutron_service_plugins = None
self.conf = conf
self.fwaas_enabled = cfg.CONF.fwaas.enabled
self.start_rpc_listeners(host, conf)
# None means l3-agent has no information on the server
# configuration due to the lack of RPC support.
if self.neutron_service_plugins is not None:
@ -96,7 +123,7 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
self.services_sync_needed = False
self.fwplugin_rpc = FWaaSL3PluginApi(f_const.FIREWALL_PLUGIN,
host)
super(FWaaSL3AgentRpcCallback, self).__init__(host=host)
super(FWaaSL3AgentExtension, self).__init__()
@property
def _local_namespaces(self):
@ -127,7 +154,8 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
else:
fwg_port_ids = firewall_group['add-port-ids']
elif not require_new_plugin:
routers = [self.router_info[rid] for rid in self.router_info]
routers = self.agent_api.get_routers_in_project(
firewall_group['tenant_id'])
for router in routers:
if router.router['tenant_id'] == firewall_group['tenant_id']:
fwg_port_ids.extend([p['id'] for p in
@ -140,21 +168,17 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
"""Returns port objects in the local namespace, along with their
router_info.
"""
in_ns_ports = []
if port_ids:
for router_id in self.router_info:
# For routers without an interface - get_routers returns
# the router - but this is not yet populated in router_info
router_info = self.router_info[router_id]
if router_info.ns_name not in self._local_namespaces:
continue
in_ns_router_port_ids = []
for port in router_info.internal_ports:
if port['id'] in port_ids:
in_ns_router_port_ids.append(port['id'])
if in_ns_router_port_ids:
in_ns_ports.append((router_info, in_ns_router_port_ids))
return in_ns_ports
in_ns_ports = {} # This will be converted to a list later.
if port_ids and self.agent_api:
for port_id in port_ids:
# This fetched router_info is guaranteed to be in_namespace.
router_info = self.agent_api.get_router_hosting_port(port_id)
if router_info:
if router_info in in_ns_ports:
in_ns_ports[router_info].append(port_id)
else:
in_ns_ports[router_info] = [port_id]
return list(in_ns_ports.items())
def _invoke_driver_for_sync_from_plugin(self, ctx, port, firewall_group):
"""Calls the FWaaS driver's delete_firewall_group method if firewall
@ -200,29 +224,27 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
self.fwplugin_rpc.set_firewall_group_status(
ctx, firewall_group['id'], status)
def _process_router_add(self, new_router):
"""If the new router is in the local namespace, queries the plugin to
get the firewall groups for the project in question and then sees if
the router has any ports for any firewall group that is configured
for that project. If so, installs firewall group rules on the
requested ports on this router.
def _process_router_update(self, updated_router):
"""If a new or existing router in the local namespace is updated,
queries the plugin to get the firewall groups for the project in
question and then sees if the router has any ports for any firewall
group that is configured for that project. If so, installs firewall
group rules on the requested ports on this router.
"""
LOG.debug("Process router add, router_id: %s.",
new_router.router['id'])
router_id = new_router.router['id']
if router_id not in self.router_info or \
self.router_info[router_id].ns_name not in \
self._local_namespaces:
LOG.debug("Process router update, router_id: %s tenant: %s.",
updated_router['id'], updated_router['tenant_id'])
router_id = updated_router['id']
if not self.agent_api.is_router_in_namespace(router_id):
return
# Get the firewall groups for the new router's project.
# NOTE: Vernacular move from "tenant" to "project" doesn't yet appear
# as a key in router or firewall group objects.
ctx = context.Context('', new_router.router['tenant_id'])
ctx = context.Context('', updated_router['tenant_id'])
fwg_list = self.fwplugin_rpc.get_firewall_groups_for_project(ctx)
# Apply a firewall group, as requested, to ports on the new router.
for port in new_router.router.internal_ports:
for port in updated_router['_interfaces']:
for firewall_group in fwg_list:
if (self._has_port_insertion_fields(firewall_group) and
(port['id'] in firewall_group['add-port-ids'] or
@ -232,7 +254,7 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
# A port can have at most one firewall group.
break
def process_router_add(self, new_router):
def add_router(self, context, new_router):
"""Handles agent restart and router add. Fetches firewall groups from
plugin and updates driver.
"""
@ -240,12 +262,37 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
return
try:
self._process_router_add(new_router)
self._process_router_update(new_router)
except Exception:
LOG.exception(_LE("FWaaS RPC info call failed for %s"),
new_router.router['id'])
LOG.exception(_LE("FWaaS router add RPC info call failed for %s"),
new_router['id'])
self.services_sync_needed = True
def update_router(self, context, updated_router):
"""Handles agent restart and router add. Fetches firewall groups from
plugin and updates driver.
"""
if not self.fwaas_enabled:
return
try:
self._process_router_update(updated_router)
except Exception:
#TODO(njohnston): This repr should be replaced.
LOG.exception(
_LE("FWaaS router update RPC info call failed for %s"),
repr(updated_router))
self.services_sync_needed = True
def delete_router(self, context, new_router):
"""Handles router deletion. There is basically nothing to do for this
in the context of FWaaS with an IPTables driver; the namespace will
already have been deleted, taking the IPTables rules with it.
"""
#TODO(njohnston): When another firewall driver is implemented, look at
# expanding this out so that the driver can handle deletion calls.
pass
def process_services_sync(self, ctx):
"""Syncs with plugin and applies the sync data.
"""
@ -283,7 +330,6 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
# Get the in-namespace ports to which to add the firewall group.
ports_for_fwg = self._get_firewall_group_ports(context, firewall_group)
if not ports_for_fwg:
return
@ -451,9 +497,9 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
self.services_sync_needed = True
class L3WithFWaaS(FWaaSL3AgentRpcCallback, agent.L3NATAgentWithStateReport):
class L3WithFWaaS(FWaaSL3AgentExtension):
def __init__(self, host, conf=None):
def __init__(self, conf=None):
if conf:
self.conf = conf
else:

30
neutron_fwaas/services/firewall/drivers/fwaas_base.py
View File

@ -59,8 +59,8 @@ class FwaasDriverBase(object):
application of rules. Argument agent_mode indicates the l3 agent in DVR or
DVR_SNAT or LEGACY mode.
"""
@abc.abstractmethod
# TODO(Margaret): Remove the first 3 methods and make the second three
# @abc.abstractmethod
def create_firewall(self, agent_mode, apply_list, firewall):
"""Create the Firewall with default (drop all) policy.
@ -69,7 +69,6 @@ class FwaasDriverBase(object):
"""
pass
@abc.abstractmethod
def delete_firewall(self, agent_mode, apply_list, firewall):
"""Delete firewall.
@ -78,7 +77,6 @@ class FwaasDriverBase(object):
"""
pass
@abc.abstractmethod
def update_firewall(self, agent_mode, apply_list, firewall):
"""Apply the policy on all trusted interfaces.
@ -87,6 +85,30 @@ class FwaasDriverBase(object):
"""
pass
def create_firewall_group(self, agent_mode, apply_list, firewall):
"""Create the Firewall with default (drop all) policy.
The default policy will be applied on all the interfaces of
trusted zone.
"""
pass
def delete_firewall_group(self, agent_mode, apply_list, firewall):
"""Delete firewall.
Removes all policies created by this instance and frees up
all the resources.
"""
pass
def update_firewall_group(self, agent_mode, apply_list, firewall):
"""Apply the policy on all trusted interfaces.
Remove previous policy and apply the new policy on all trusted
interfaces.
"""
pass
@abc.abstractmethod
def apply_default_policy(self, agent_mode, apply_list, firewall):
"""Apply the default policy on all trusted interfaces.

39
neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
View File

@ -58,6 +58,9 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
LOG.debug("Initializing fwaas iptables driver")
self.pre_firewall = None
def initialize(self):
pass
def _get_intf_name(self, if_prefix, port_id):
_name = "%s%s" % (if_prefix, port_id)
return _name[:MAX_INTF_NAME_LEN]
@ -78,7 +81,7 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
LOG.exception(_LE("Failed to create firewall: %s"), firewall['id'])
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def _get_ipt_mgrs_with_if_prefix(self, agent_mode, router_info):
def _get_ipt_mgrs_with_if_prefix(self, agent_mode, ri):
"""Gets the iptables manager along with the if prefix to apply rules.
With DVR we can have differing namespaces depending on which agent
@ -88,18 +91,18 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
namespace and a fip so this is provided back as a list - so in that
scenario rules can be applied on both.
"""
if not router_info.router.get('distributed'):
return [{'ipt': router_info.iptables_manager,
if not ri.router.get('distributed'):
return [{'ipt': ri.iptables_manager,
'if_prefix': INTERNAL_DEV_PREFIX}]
ipt_mgrs = []
# TODO(sridar): refactor to get strings to a common location.
if agent_mode == 'dvr_snat':
if router_info.snat_iptables_manager:
ipt_mgrs.append({'ipt': router_info.snat_iptables_manager,
if ri.snat_iptables_manager:
ipt_mgrs.append({'ipt': ri.snat_iptables_manager,
'if_prefix': SNAT_INT_DEV_PREFIX})
if router_info.dist_fip_count:
if ri.dist_fip_count:
# handle the fip case on n/w or compute node.
ipt_mgrs.append({'ipt': router_info.iptables_manager,
ipt_mgrs.append({'ipt': ri.iptables_manager,
'if_prefix': ROUTER_2_FIP_DEV_PREFIX})
return ipt_mgrs
@ -108,9 +111,9 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
{'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
fwid = firewall['id']
try:
for router_info, router_fw_ports in apply_list:
for ri, router_fw_ports in apply_list:
ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix(
agent_mode, router_info)
agent_mode, ri)
for ipt_if_prefix in ipt_if_prefix_list:
ipt_mgr = ipt_if_prefix['ipt']
self._remove_chains(fwid, ipt_mgr)
@ -148,9 +151,9 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
{'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
fwid = firewall['id']
try:
for router_info, router_fw_ports in apply_list:
for ri, router_fw_ports in apply_list:
ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix(
agent_mode, router_info)
agent_mode, ri)
for ipt_if_prefix in ipt_if_prefix_list:
# the following only updates local memory; no hole in FW
ipt_mgr = ipt_if_prefix['ipt']
@ -172,9 +175,9 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
def _setup_firewall(self, agent_mode, apply_list, firewall):
fwid = firewall['id']
for router_info, router_fw_ports in apply_list:
for ri, router_fw_ports in apply_list:
ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix(
agent_mode, router_info)
agent_mode, ri)
for ipt_if_prefix in ipt_if_prefix_list:
ipt_mgr = ipt_if_prefix['ipt']
# the following only updates local memory; no hole in FW
@ -298,9 +301,9 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
def _remove_conntrack_new_firewall(self, agent_mode, apply_list, firewall):
"""Remove conntrack when create new firewall"""
routers_list = list(set([apply_info[0] for apply_info in apply_list]))
for router_info in routers_list:
for ri in routers_list:
ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix(
agent_mode, router_info)
agent_mode, ri)
for ipt_if_prefix in ipt_if_prefix_list:
ipt_mgr = ipt_if_prefix['ipt']
cmd = self._get_conntrack_cmd_from_rule(ipt_mgr)
@ -310,9 +313,9 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
apply_list, pre_firewall, firewall):
"""Remove conntrack when updated firewall"""
routers_list = list(set([apply_info[0] for apply_info in apply_list]))
for router_info in routers_list:
for ri in routers_list:
ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix(
agent_mode, router_info)
agent_mode, ri)
for ipt_if_prefix in ipt_if_prefix_list:
ipt_mgr = ipt_if_prefix['ipt']
ch_rules = self._find_changed_rules(pre_firewall,
@ -391,7 +394,7 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
jump_rule = ['%s %s -j %s-%s' % (
IPTABLES_DIR[direction], intf_name,
bname, chain_name)]
self._add_rules_to_chain(ipt_mgr, ver,
self._add_rules_to_chain(ipt_mgr, ver,
'FORWARD', jump_rule)
# jump to DROP_ALL policy

2
neutron_fwaas/services/firewall/fwaas_plugin.py
View File

@ -148,7 +148,7 @@ class FirewallPlugin(
self.start_rpc_listeners()
self.agent_rpc = FirewallAgentApi(
f_const.L3_AGENT,
f_const.FW_AGENT,
cfg.CONF.host
)
firewall_db.subscribe()

8
neutron_fwaas/services/firewall/fwaas_plugin_v2.py
View File

@ -107,11 +107,11 @@ class FirewallCallbacks(object):
if fwg['status'] == n_const.PENDING_DELETE:
fwg_with_rules['add-port-ids'] = []
fwg_with_rules['del-port-ids'] = (
self.plugin._get_ports_for_firewall_group(context,
self.plugin._get_ports_in_firewall_group(context,
fwg['id']))
else:
fwg_with_rules['add-port-ids'] = (
self.plugin._get_ports_for_firewall_group(context,
self.plugin._get_ports_in_firewall_group(context,
fwg['id']))
fwg_with_rules['del-port-ids'] = []
fwg_list.append(fwg_with_rules)
@ -142,7 +142,7 @@ class FirewallPluginV2(
self.start_rpc_listeners()
self.agent_rpc = FirewallAgentApi(
f_const.L3_AGENT,
f_const.FW_AGENT,
cfg.CONF.host
)
@ -205,6 +205,8 @@ class FirewallPluginV2(
# TODO(sridar): elevated context and do we want to use public ?
for port_id in fwg_ports:
port_db = self._core_plugin._get_port(context, port_id)
if port_db['device_owner'] != "network:router_interface":
raise fw_ext.FirewallGroupPortInvalid(port_id=port_id)
if port_db['tenant_id'] != tenant_id:
raise fw_ext.FirewallGroupPortInvalidProject(port_id=port_id)
return

38
neutron_fwaas/tests/unit/services/firewall/agents/l3reference/test_firewall_l3_agent.py
View File

@ -12,13 +12,15 @@
# License for the specific language governing permissions and limitations
# under the License.
import mock
import testtools
import uuid
import mock
from oslo_config import cfg
from neutron.agent.l3 import config as l3_config
from neutron.agent.l3 import ha
from neutron.agent.l3 import l3_agent_extension_api as l3_agent_api
from neutron.agent.l3 import router_info
from neutron.agent.linux import ip_lib
from neutron.conf import common as base_config
@ -38,12 +40,12 @@ class FWaasHelper(object):
pass
class FWaasAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback, FWaasHelper):
class FWaasAgent(firewall_l3_agent.FWaaSL3AgentExtension, FWaasHelper):
neutron_service_plugins = []
def _setup_test_agent_class(service_plugins):
class FWaasTestAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback,
class FWaasTestAgent(firewall_l3_agent.FWaaSL3AgentExtension,
FWaasHelper):
neutron_service_plugins = service_plugins
@ -64,13 +66,15 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
self.conf.register_opts(l3_config.OPTS)
self.conf.register_opts(ha.OPTS)
self.conf.register_opts(firewall_agent_api.FWaaSOpts, 'fwaas')
self.api = FWaasAgent("myhost", self.conf)
self.api = FWaasAgent(host=None, conf=self.conf)
self.api.fwaas_driver = test_firewall_agent_api.NoopFwaasDriver()
self.adminContext = context.get_admin_context()
self.router_id = str(uuid.uuid4())
self.agent_conf = mock.Mock()
project_id = str(uuid.uuid4()) # For 'tenant_id' and 'project_id' keys
self.ri_kwargs = {'router': {'id': self.router_id,
'tenant_id': str(uuid.uuid4())},
'tenant_id': project_id,
'project_id': project_id},
'agent_conf': self.agent_conf,
'interface_driver': mock.ANY,
'use_ipv6': mock.ANY,
@ -82,8 +86,8 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
with mock.patch('oslo_utils.importutils.import_object'):
test_agent_class(cfg.CONF)
@testtools.skip('needs to be refactored for fwaas v2')
def test_fw_config_mismatch_plugin_enabled_agent_disabled(self):
self.skipTest('this is broken')
test_agent_class = _setup_test_agent_class([constants.FIREWALL])
cfg.CONF.set_override('enabled', False, 'fwaas')
self.assertRaises(SystemExit, test_agent_class, cfg.CONF)
@ -300,9 +304,15 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
def test_get_router_info_list_for_tenant(self):
ri = self._prepare_router_data()
router_info = {ri.router_id: ri}
self.api.router_info = router_info
api_object = l3_agent_api.L3AgentExtensionAPI(router_info)
self.api.consume_api(api_object)
routers = [ri.router]
router_ids = [router['id'] for router in routers]
self.api.router_info = {ri.router_id: ri}
with mock.patch.object(ip_lib.IPWrapper,
'get_namespaces') as mock_get_namespaces:
mock_get_namespaces.return_value = []
@ -316,19 +326,27 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
rtr_with_ri):
# ri.router with associated router_info (ri)
# rtr2 has no router_info
ri = self._prepare_router_data()
rtr2 = {'id': str(uuid.uuid4()), 'tenant_id': ri.router['tenant_id']}
routers = [rtr2]
self.api.router_info = {}
router_info = {}
ri_expected = []
if rtr_with_ri:
self.api.router_info[ri.router_id] = ri
router_info[ri.router_id] = ri
routers.append(ri.router)
ri_expected.append(ri)
self.api.router_info = router_info
router_ids = [router['id'] for router in routers]
with mock.patch.object(ip_lib.IPWrapper,
'get_namespaces') as mock_get_namespaces:
mock_get_namespaces.return_value = ri.ns_name
mock_get_namespaces.return_value = [ri.ns_name]
api_object = l3_agent_api.L3AgentExtensionAPI(router_info)
self.api.consume_api(api_object)
router_info_list = self.api._get_router_info_list_for_tenant(
router_ids,
ri.router['tenant_id'])

48
neutron_fwaas/tests/unit/services/firewall/agents/l3reference/test_firewall_l3_agent_v2.py
View File

@ -19,6 +19,7 @@ import mock
from oslo_config import cfg
from neutron.agent.l3 import config as l3_config
from neutron.agent.l3 import l3_agent_extension_api as l3_agent_api
from neutron.agent.l3 import router_info
from neutron.agent.linux import ip_lib
from neutron import context
@ -33,35 +34,54 @@ from neutron_fwaas.tests.unit.services.firewall.agents \
class FWaasHelper(object):
def __init__(self, host):
def __init__(self):
pass
class FWaasAgent(firewall_l3_agent_v2.FWaaSL3AgentRpcCallback, FWaasHelper):
class FWaasAgent(firewall_l3_agent_v2.L3WithFWaaS, FWaasHelper):
neutron_service_plugins = []
def add_router(self, context, data):
pass
def delete_router(self, context, data):
pass
def update_router(self, context, data):
pass
def _setup_test_agent_class(service_plugins):
class FWaasTestAgent(firewall_l3_agent_v2.FWaaSL3AgentRpcCallback,
class FWaasTestAgent(firewall_l3_agent_v2.L3WithFWaaS,
FWaasHelper):
neutron_service_plugins = service_plugins
def __init__(self, conf):
self.event_observers = mock.Mock()
self.conf = conf
super(FWaasTestAgent, self).__init__('myhost', conf)
super(FWaasTestAgent, self).__init__(conf)
def add_router(self, context, data):
pass
def delete_router(self, context, data):
pass
def update_router(self, context, data):
pass
return FWaasTestAgent
class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
class TestFWaaSL3AgentExtension(base.BaseTestCase):
def setUp(self):
super(TestFwaasL3AgentRpcCallback, self).setUp()
super(TestFWaaSL3AgentExtension, self).setUp()
self.conf = cfg.ConfigOpts()
self.conf.register_opts(l3_config.OPTS)
self.conf.register_opts(firewall_agent_api.FWaaSOpts, 'fwaas')
self.api = FWaasAgent('myhost', self.conf)
self.conf.host = 'myhost'
self.api = FWaasAgent(self.conf)
self.api.fwaas_driver = test_firewall_agent_api.NoopFwaasDriverV2()
self.adminContext = context.get_admin_context()
self.context = mock.sentinel.context
@ -279,7 +299,9 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
ports = [{'id': pid} for pid in port_ids]
ri = self._prepare_router_data()
ri.internal_ports = ports
self.api.router_info = {ri.router_id: ri}
router_info = {ri.router_id: ri}
api_object = l3_agent_api.L3AgentExtensionAPI(router_info)
self.api.consume_api(api_object)
fw_port_ids = port_ids
with mock.patch.object(ip_lib.IPWrapper,
@ -288,7 +310,7 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
mock_get_namespaces.return_value = []
ports_for_fw_list = self.api._get_in_ns_ports(fw_port_ids)
mock_get_namespaces.assert_called_once_with()
mock_get_namespaces.assert_called_with()
self.assertFalse(ports_for_fw_list)
def test_get_in_ns_ports_for_fw(self):
@ -296,8 +318,10 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
ports = [{'id': pid} for pid in port_ids]
ri = self._prepare_router_data()
ri.internal_ports = ports
self.api.router_info = {}
self.api.router_info[ri.router_id] = ri
router_info = {}
router_info[ri.router_id] = ri
api_object = l3_agent_api.L3AgentExtensionAPI(router_info)
self.api.consume_api(api_object)
fw_port_ids = port_ids
ports_for_fw_expected = [(ri, port_ids)]
@ -306,3 +330,5 @@ class TestFwaasL3AgentRpcCallback(base.BaseTestCase):
mock_get_namespaces.return_value = [ri.ns_name]
ports_for_fw_actual = self.api._get_in_ns_ports(fw_port_ids)
self.assertEqual(ports_for_fw_expected, ports_for_fw_actual)
#TODO(Margaret) Add test for add_router method.

6
neutron_fwaas/tests/unit/services/firewall/agents/test_firewall_agent_api.py
View File

@ -28,13 +28,13 @@ class NoopFwaasDriver(fwaas_base.FwaasDriverBase):
This driver is for disabling Fwaas functionality.
"""
def create_firewall(self, agent_mode, apply_list, firewall):
def create_firewall_group(self, agent_mode, apply_list, firewall):
pass
def delete_firewall(self, agent_mode, apply_list, firewall):
def delete_firewall_group(self, agent_mode, apply_list, firewall):
pass
def update_firewall(self, agent_mode, apply_list, firewall):
def update_firewall_group(self, agent_mode, apply_list, firewall):
pass
def apply_default_policy(self, agent_mode, apply_list, firewall):

13
neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas_v2.py
View File

@ -181,11 +181,14 @@ class IptablesFwaasTestCase(base.BaseTestCase):
mock.call.add_rule(egress_chain, rule2),
mock.call.add_rule(egress_chain, rule3)]
intf_name = self._get_intf_name(if_prefix, FAKE_PORT_IDS[-1])
calls.append(mock.call.add_rule('FORWARD',
'-o %s -j %s' % (intf_name, ipt_mgr_ichain)))
calls.append(mock.call.add_rule('FORWARD',
'-i %s -j %s' % (intf_name, ipt_mgr_echain)))
for port in FAKE_PORT_IDS:
intf_name = self._get_intf_name(if_prefix, port)
calls.append(mock.call.add_rule('FORWARD',
'-o %s -j %s' % (intf_name, ipt_mgr_ichain)))
for port in FAKE_PORT_IDS:
intf_name = self._get_intf_name(if_prefix, port)
calls.append(mock.call.add_rule('FORWARD',
'-i %s -j %s' % (intf_name, ipt_mgr_echain)))
for direction in ['o', 'i']:
for port_id in FAKE_PORT_IDS:

6
setup.cfg
View File

@ -27,13 +27,12 @@ setup-hooks =
pbr.hooks.setup_hook
[entry_points]
console_scripts =
neutron-l3-agent = neutron_fwaas.cmd.eventlet.agents.fw:main
firewall_drivers =
# These are for backwards compat with Juno firewall service provider
# configuration values
neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas:IptablesFwaasDriver
iptables = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas:IptablesFwaasDriver
iptables_v2 = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2:IptablesFwaasDriver
neutron.service_plugins =
firewall = neutron_fwaas.services.firewall.fwaas_plugin:FirewallPlugin
firewall_v2 = neutron_fwaas.services.firewall.fwaas_plugin_v2:FirewallPluginV2
@ -45,6 +44,9 @@ tempest.test_plugins =
neutron-fwaas = neutron_fwaas.tests.tempest_plugin.plugin:NeutronFWaaSPlugin
oslo.config.opts =
firewall.agent = neutron_fwaas.opts:list_agent_opts
neutron.agent.l3.extensions =
fwaas = neutron_fwaas.services.firewall.agents.l3reference.firewall_l3_agent:L3WithFWaaS
fwaas_v2 = neutron_fwaas.services.firewall.agents.l3reference.firewall_l3_agent_v2:L3WithFWaaS
[build_sphinx]
all_files = 1