[DevStack] Configure iptables_v2 firewall driver for FWaaS V2.
Currently DevStack configures iptables v1 firewall driver for both FWaaS versions. In case of V2 it means that all calls to firewall group related driver methods are handled by the FwaasDriverBase metaclass and are actually no-op. Also updated FWaaS V2 scenario test to configure firewall rule that'd allow SSH. Change-Id: I0bdb4998f21d65564a30b6faa0250aad68f5c7b2
This commit is contained in:
parent
d5224f1935
commit
21d18e303c
|
@ -37,6 +37,7 @@ function configure_fwaas_v1() {
|
|||
neutron_fwaas_configure_driver fwaas
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v1
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas conntrack_driver conntrack
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER_V1
|
||||
}
|
||||
|
||||
function configure_fwaas_v2() {
|
||||
|
@ -44,6 +45,7 @@ function configure_fwaas_v2() {
|
|||
cp $NEUTRON_FWAAS_DIR/etc/neutron_fwaas.conf.sample $NEUTRON_FWAAS_CONF
|
||||
neutron_fwaas_configure_driver fwaas_v2
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v2
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER_V2
|
||||
}
|
||||
|
||||
function neutron_fwaas_generate_config_files {
|
||||
|
@ -85,7 +87,6 @@ function neutron_fwaas_configure_driver {
|
|||
plugin_agent_add_l3_agent_extension $1
|
||||
configure_l3_agent
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas enabled True
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER
|
||||
}
|
||||
|
||||
# check for service enabled
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
FWAAS_DRIVER=${FWAAS_DRIVER:-iptables}
|
||||
FWAAS_DRIVER_V1=${FWAAS_DRIVER_V1:-iptables}
|
||||
FWAAS_DRIVER_V2=${FWAAS_DRIVER_V2:-iptables_v2}
|
||||
FWAAS_PLUGIN_V1=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin}
|
||||
FWAAS_PLUGIN_V2=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2}
|
||||
|
||||
|
|
|
@ -224,8 +224,13 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
|
|||
private_key=topology['private_key2'])
|
||||
|
||||
# Scenario 1: Add allow ICMP rules between the two VMs.
|
||||
fw_rule = self.create_firewall_rule(action="allow", protocol="icmp")
|
||||
fw_policy = self.create_firewall_policy(firewall_rules=[fw_rule['id']])
|
||||
fw_allow_icmp_rule = self.create_firewall_rule(action="allow",
|
||||
protocol="icmp")
|
||||
fw_allow_ssh_rule = self.create_firewall_rule(action="allow",
|
||||
protocol="tcp",
|
||||
destination_port=22)
|
||||
fw_policy = self.create_firewall_policy(
|
||||
firewall_rules=[fw_allow_icmp_rule['id'], fw_allow_ssh_rule['id']])
|
||||
fw_group = self.create_firewall_group(
|
||||
ports=[
|
||||
topology['router_portid_1'],
|
||||
|
@ -233,8 +238,9 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
|
|||
ingress_firewall_policy_id=fw_policy['id'],
|
||||
egress_firewall_policy_id=fw_policy['id'])
|
||||
self._wait_firewall_group_ready(fw_group['id'])
|
||||
LOG.debug('fw_rule: %s\nfw_policy: %s\nfw_group: %s\n',
|
||||
fw_rule, fw_policy, fw_group)
|
||||
LOG.debug('fw_allow_icmp_rule: %s\nfw_allow_ssh_rule: %s\n'
|
||||
'fw_policy: %s\nfw_group: %s\n',
|
||||
fw_allow_icmp_rule, fw_allow_ssh_rule, fw_policy, fw_group)
|
||||
|
||||
# Check the connectivity between VM1 and VM2. It should Pass.
|
||||
self._check_connectivity_between_internal_networks(
|
||||
|
|
Loading…
Reference in New Issue