From 6ddddcbaebd88380ae8f4ae9b19c5571cf8a00b9 Mon Sep 17 00:00:00 2001
From: Jakub Libosvar <libosvar@redhat.com>
Date: Thu, 24 Nov 2016 12:32:55 -0500
Subject: [PATCH] ovsfw: Support protocol numbers instead of just tcp and udp

Neutron API accepts also protocol numbers as protocols for security
groups. This patch makes support for it in OVS firewall driver. iptables
driver already supports it.

Fullstack test covering SCTP connection was added and it requires
ip_conntrack_proto_sctp kernel module in order to make conntrack work
with SCTP.

Closes-bug: 1625516
Conflicts:
	neutron/tests/fullstack/test_securitygroup.py

Change-Id: I6c5665a994c4a50ddbb95cd1360be0de0a6c7e40
(cherry picked from commit d5c07fe512502342cfde7c49e6ed75686608cc65)
---
 neutron/agent/linux/openvswitch_firewall/constants.py |  6 ------
 neutron/agent/linux/openvswitch_firewall/rules.py     | 11 ++++++-----
 neutron/tests/common/net_helpers.py                   | 11 ++++++++---
 tools/configure_for_func_testing.sh                   |  1 +
 4 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/neutron/agent/linux/openvswitch_firewall/constants.py b/neutron/agent/linux/openvswitch_firewall/constants.py
index c03fdc3ba8d..00d142b4079 100644
--- a/neutron/agent/linux/openvswitch_firewall/constants.py
+++ b/neutron/agent/linux/openvswitch_firewall/constants.py
@@ -35,12 +35,6 @@ CT_MARK_INVALID = '0x1'
 REG_PORT = 5
 REG_NET = 6
 
-protocol_to_nw_proto = {
-        constants.PROTO_NAME_ICMP: constants.PROTO_NUM_ICMP,
-        constants.PROTO_NAME_TCP: constants.PROTO_NUM_TCP,
-        constants.PROTO_NAME_UDP: constants.PROTO_NUM_UDP,
-}
-
 PROTOCOLS_WITH_PORTS = (constants.PROTO_NAME_TCP, constants.PROTO_NAME_UDP)
 
 ethertype_to_dl_type_map = {
diff --git a/neutron/agent/linux/openvswitch_firewall/rules.py b/neutron/agent/linux/openvswitch_firewall/rules.py
index 1c7c5f7d471..233972ed91f 100644
--- a/neutron/agent/linux/openvswitch_firewall/rules.py
+++ b/neutron/agent/linux/openvswitch_firewall/rules.py
@@ -79,12 +79,13 @@ def create_protocol_flows(direction, flow_template, port, rule):
         flow_template['actions'] = 'resubmit(,{:d})'.format(
             ovs_consts.ACCEPT_OR_INGRESS_TABLE)
     protocol = rule.get('protocol')
-    try:
-        flow_template['nw_proto'] = ovsfw_consts.protocol_to_nw_proto[protocol]
-        if rule['ethertype'] == n_consts.IPv6 and protocol == 'icmp':
+    if protocol:
+        if (rule.get('ethertype') == n_consts.IPv6 and
+                protocol == n_consts.PROTO_NAME_ICMP):
             flow_template['nw_proto'] = n_consts.PROTO_NUM_IPV6_ICMP
-    except KeyError:
-        pass
+        else:
+            flow_template['nw_proto'] = n_consts.IP_PROTOCOL_MAP.get(
+                protocol, protocol)
 
     flows = create_port_range_flows(flow_template, rule)
     return flows or [flow_template]
diff --git a/neutron/tests/common/net_helpers.py b/neutron/tests/common/net_helpers.py
index 40ca0112c78..3c96a638548 100644
--- a/neutron/tests/common/net_helpers.py
+++ b/neutron/tests/common/net_helpers.py
@@ -72,7 +72,8 @@ READ_TIMEOUT = os.environ.get('OS_TEST_READ_TIMEOUT', 5)
 CHILD_PROCESS_TIMEOUT = os.environ.get('OS_TEST_CHILD_PROCESS_TIMEOUT', 20)
 CHILD_PROCESS_SLEEP = os.environ.get('OS_TEST_CHILD_PROCESS_SLEEP', 0.5)
 
-TRANSPORT_PROTOCOLS = (n_const.PROTO_NAME_TCP, n_const.PROTO_NAME_UDP)
+TRANSPORT_PROTOCOLS = (n_const.PROTO_NAME_TCP, n_const.PROTO_NAME_UDP,
+                       n_const.PROTO_NAME_SCTP)
 
 OVS_MANAGER_TEST_PORT_FIRST = 6610
 OVS_MANAGER_TEST_PORT_LAST = 6639
@@ -382,6 +383,7 @@ class Pinger(object):
 class NetcatTester(object):
     TCP = n_const.PROTO_NAME_TCP
     UDP = n_const.PROTO_NAME_UDP
+    SCTP = n_const.PROTO_NAME_SCTP
     VERSION_TO_ALL_ADDRESS = {
         4: '0.0.0.0',
         6: '::',
@@ -402,7 +404,7 @@ class NetcatTester(object):
                                  will be spawned
         :param address: Server address from client point of view
         :param dst_port: Port on which netcat listens
-        :param protocol: Transport protocol, either 'tcp' or 'udp'
+        :param protocol: Transport protocol, either 'tcp', 'udp' or 'sctp'
         :param server_address: Address in server namespace on which netcat
                                should listen
         :param src_port: Source port of netcat process spawned in client
@@ -488,9 +490,12 @@ class NetcatTester(object):
         cmd = ['nc', address, self.dst_port]
         if self.protocol == self.UDP:
             cmd.append('-u')
+        elif self.protocol == self.SCTP:
+            cmd.append('--sctp')
+
         if listen:
             cmd.append('-l')
-            if self.protocol == self.TCP:
+            if self.protocol in (self.TCP, self.SCTP):
                 cmd.append('-k')
         else:
             cmd.extend(['-w', '20'])
diff --git a/tools/configure_for_func_testing.sh b/tools/configure_for_func_testing.sh
index f603b125a5d..a001edaa1cd 100755
--- a/tools/configure_for_func_testing.sh
+++ b/tools/configure_for_func_testing.sh
@@ -280,4 +280,5 @@ fi
 
 if [[ "$VENV" =~ "dsvm-fullstack" ]]; then
     _configure_iptables_rules
+    sudo modprobe ip_conntrack_proto_sctp
 fi