8de0c36cb9
This patch implements a driver based on OVN, it creates port_group for every l3 firewall_group and adds relating ports to port_group, it also transforms firewall_rules to stateless acls. Tests will been put in next patch. NOTE: it depends on ML2/OVN. Partially-Implements: blueprint support-l3-firewall-for-ovn-driver Related-Bug: #1971958 Change-Id: If153645b3da198ef1746e98af80ac6f0a0b41bf9
154 lines
4.5 KiB
Bash
Executable File
154 lines
4.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# Dependencies:
|
|
#
|
|
# ``functions`` file
|
|
# ``DEST`` must be defined
|
|
|
|
# Save trace setting
|
|
XTRACE=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
# Source in L2 and L3 agent extension management
|
|
LIBDIR=$DEST/neutron-fwaas/devstack/lib
|
|
source $LIBDIR/l2_agent
|
|
source $LIBDIR/l3_agent
|
|
|
|
function install_fwaas() {
|
|
# Install the service.
|
|
:
|
|
setup_develop $DEST/neutron-fwaas
|
|
if is_ubuntu; then
|
|
install_package libnetfilter-log1
|
|
else
|
|
# EPEL
|
|
install_package libnetfilter_log
|
|
fi
|
|
}
|
|
|
|
function is_ovn_enabled {
|
|
[[ $Q_AGENT == "ovn" ]] && return 0
|
|
return 1
|
|
}
|
|
|
|
function configure_fwaas_v2() {
|
|
# Add conf file
|
|
cp $NEUTRON_FWAAS_DIR/etc/neutron_fwaas.conf.sample $NEUTRON_FWAAS_CONF
|
|
neutron_server_config_add $NEUTRON_FWAAS_CONF
|
|
inicomment $NEUTRON_FWAAS_CONF service_providers service_provider
|
|
if is_ovn_enabled; then
|
|
iniadd $NEUTRON_FWAAS_CONF service_providers service_provider $NEUTRON_FWAAS_SERVICE_PROVIDERV2_OVN
|
|
else
|
|
iniadd $NEUTRON_FWAAS_CONF service_providers service_provider $NEUTRON_FWAAS_SERVICE_PROVIDERV2
|
|
fi
|
|
|
|
neutron_fwaas_configure_driver fwaas_v2
|
|
if is_service_enabled q-l3; then
|
|
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v2
|
|
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER_V2
|
|
fi
|
|
if is_service_enabled q-agt; then
|
|
iniset /$NEUTRON_CORE_PLUGIN_CONF fwaas firewall_l2_driver $FW_L2_DRIVER
|
|
iniset /$NEUTRON_CORE_PLUGIN_CONF agent extensions fwaas_v2
|
|
fi
|
|
}
|
|
|
|
function configure_l3_log_fwaas_v2(){
|
|
if is_service_enabled q-l3; then
|
|
iniadd $Q_L3_CONF_FILE agent extensions fwaas_v2_log
|
|
fi
|
|
}
|
|
|
|
function neutron_fwaas_generate_config_files {
|
|
(cd $NEUTRON_FWAAS_DIR && exec ./tools/generate_config_file_samples.sh)
|
|
}
|
|
|
|
function init_fwaas() {
|
|
# Initialize and start the service.
|
|
:
|
|
# Using sudo to gain the root privilege to be able to copy file to rootwrap.d
|
|
sudo cp $DEST/neutron-fwaas/etc/neutron/rootwrap.d/fwaas-privsep.filters /etc/neutron/rootwrap.d/fwaas-privsep.filters
|
|
}
|
|
|
|
function shutdown_fwaas() {
|
|
# Shut the service down.
|
|
:
|
|
}
|
|
|
|
function cleanup_fwaas() {
|
|
# Cleanup the service.
|
|
:
|
|
if is_ubuntu; then
|
|
uninstall_package libnetfilter-log1
|
|
else
|
|
# EPEL
|
|
uninstall_package libnetfilter_log
|
|
fi
|
|
}
|
|
|
|
function neutron_fwaas_configure_common {
|
|
neutron_service_plugin_class_add $FWAAS_PLUGIN_V2
|
|
}
|
|
|
|
function neutron_fwaas_configure_driver {
|
|
if is_service_enabled q-l3; then
|
|
plugin_agent_add_l3_agent_extension $1
|
|
configure_l3_agent
|
|
iniset_multiline $Q_L3_CONF_FILE fwaas enabled True
|
|
fi
|
|
}
|
|
|
|
# check for service enabled
|
|
if is_service_enabled q-svc neutron-api && is_service_enabled q-fwaas q-fwaas-v2 neutron-fwaas-v2; then
|
|
|
|
if [[ "$1" == "stack" && "$2" == "install" ]]; then
|
|
# Perform installation of service source
|
|
echo_summary "Installing neutron-fwaas"
|
|
install_fwaas
|
|
|
|
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
|
|
# Configure after the other layer 1 and 2 services have been configured
|
|
neutron_fwaas_configure_common
|
|
neutron_fwaas_generate_config_files
|
|
echo_summary "Configuring neutron-fwaas for FWaaS v2"
|
|
configure_fwaas_v2
|
|
if is_service_enabled q-log neutron-log; then
|
|
echo_summary "Configuring FwaaS V2 packet log for l3 extension"
|
|
configure_l3_log_fwaas_v2
|
|
fi
|
|
|
|
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
|
# Initialize and start the neutron-fwaas service
|
|
echo_summary "Initializing neutron-fwaas"
|
|
init_fwaas
|
|
fi
|
|
|
|
if [[ "$1" == "unstack" ]]; then
|
|
# Shut down neutron-fwaas services
|
|
# no-op
|
|
shutdown_fwaas
|
|
fi
|
|
|
|
if [[ "$1" == "clean" ]]; then
|
|
# Remove state and transient data
|
|
# Remember clean.sh first calls unstack.sh
|
|
# no-op
|
|
cleanup_fwaas
|
|
fi
|
|
fi
|
|
|
|
# Restore xtrace
|
|
$XTRACE
|