Make iptables firewall work with L3 plugin without DVR support

iptables firewall implementation expects 'distributed' attribute is populated in router_info.router, but this attribute is only populated when L3 plugin supports DVR extension. This commits take into account the case where 'distributed' attribute does not exist in router_info.router. Change-Id: I2b0c208d74923f9ea0fc35bcea00e11152bbdb3d Closes-Bug: #1448439 (cherry picked from commit 649fab93ce)
2015-04-25 20:51:06 +09:00 · 2015-04-25 20:51:06 +09:00 · cdcd5a7b69
parent 331316624a
commit cdcd5a7b69
2 changed files with 21 additions and 4 deletions
--- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
@ -73,7 +73,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
        namespace and a fip so this is provided back as a list - so in that
        scenario rules can be applied on both.
        """
-        if not router_info.router['distributed']:
+        if not router_info.router.get('distributed'):
            return [{'ipt': router_info.iptables_manager,
                     'if_prefix': INTERNAL_DEV_PREFIX}]
        ipt_mgrs = []
--- a/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
+++ b/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
@ -93,7 +93,10 @@ class IptablesFwaasTestCase(base.BaseTestCase):
        apply_list = []
        while router_count > 0:
            iptables_inst = mock.Mock()
-            router_inst = {'distributed': distributed}
+            if distributed is not None:
+                router_inst = {'distributed': distributed}
+            else:
+                router_inst = {}
            v4filter_inst = mock.Mock()
            v6filter_inst = mock.Mock()
            v4filter_inst.chains = []
@ -203,6 +206,10 @@ class IptablesFwaasTestCase(base.BaseTestCase):
    def test_create_firewall_with_rules(self):
        self._setup_firewall_with_rules(self.firewall.create_firewall)

+    def test_create_firewall_with_rules_without_distributed_attr(self):
+        self._setup_firewall_with_rules(self.firewall.create_firewall,
+                                        distributed=None)
+
    def test_create_firewall_with_rules_two_routers(self):
        self._setup_firewall_with_rules(self.firewall.create_firewall,
                                        router_count=2)
@ -210,8 +217,12 @@ class IptablesFwaasTestCase(base.BaseTestCase):
    def test_update_firewall_with_rules(self):
        self._setup_firewall_with_rules(self.firewall.update_firewall)

-    def test_delete_firewall(self):
-        apply_list = self._fake_apply_list()
+    def test_update_firewall_with_rules_without_distributed_attr(self):
+        self._setup_firewall_with_rules(self.firewall.update_firewall,
+                                        distributed=None)
+
+    def _test_delete_firewall(self, distributed=False):
+        apply_list = self._fake_apply_list(distributed=distributed)
        firewall = self._fake_firewall_no_rule()
        self.firewall.delete_firewall('legacy', apply_list, firewall)
        ingress_chain = 'iv4%s' % firewall['id']
@ -221,6 +232,12 @@ class IptablesFwaasTestCase(base.BaseTestCase):
                 mock.call.remove_chain('fwaas-default-policy')]
        apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls)

+    def test_delete_firewall(self):
+        self._test_delete_firewall()
+
+    def test_delete_firewall_without_distributed_attr(self):
+        self._test_delete_firewall(distributed=None)
+
    def test_create_firewall_with_admin_down(self):
        apply_list = self._fake_apply_list()
        rule_list = self._fake_rules_v4(FAKE_FW_ID, apply_list)