From c6b907a2cfa9626260348f07284206ab87e5712d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Harald=20Jens=C3=A5s?= <hjensas@redhat.com>
Date: Thu, 4 Apr 2019 02:12:34 +0200
Subject: [PATCH] L3 Conntrack Helper Extension

Introduces a new API extension exposing conntrack_helpers
field in Router response. The extension requires the
``router`` and ``conntrack_helper`` service plugin.

Related-Bug: #1823633
Change-Id: I55d659c47f3e9a65af78509fbd63416373a501f3
---
 api-ref/source/v2/index.rst                   |   1 +
 api-ref/source/v2/l3-conntrack-helper.inc     | 212 ++++++++++++++++++
 api-ref/source/v2/parameters.yaml             | 100 +++++++++
 api-ref/source/v2/routers.inc                 |  11 +
 .../conntrack-helper-create-request.json      |   7 +
 .../conntrack-helper-create-response.json     |   8 +
 .../conntrack-helper-list-response.json       |  16 ++
 .../conntrack-helper-show-response.json       |   8 +
 .../conntrack-helper-update-request.json      |   7 +
 .../conntrack-helper-update-response.json     |   8 +
 .../routers/router-create-response.json       |   3 +-
 .../samples/routers/router-show-response.json |   3 +-
 .../routers/router-update-response.json       |   3 +-
 .../routers/routers-list-response.json        |  28 ++-
 neutron_lib/api/definitions/__init__.py       |   4 +
 neutron_lib/api/definitions/base.py           |   2 +
 .../definitions/expose_l3_conntrack_helper.py |  42 ++++
 .../api/definitions/l3_conntrack_helper.py    | 127 +++++++++++
 .../test_expose_l3_conntrack_helper.py        |  24 ++
 .../definitions/test_l3_conntrack_helper.py   |  28 +++
 .../l3_conntrack_helper-f186bcdcc31bcaf2.yaml |   9 +
 21 files changed, 646 insertions(+), 5 deletions(-)
 create mode 100644 api-ref/source/v2/l3-conntrack-helper.inc
 create mode 100644 api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-request.json
 create mode 100644 api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-response.json
 create mode 100644 api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-list-response.json
 create mode 100644 api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-show-response.json
 create mode 100644 api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-request.json
 create mode 100644 api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-response.json
 create mode 100644 neutron_lib/api/definitions/expose_l3_conntrack_helper.py
 create mode 100644 neutron_lib/api/definitions/l3_conntrack_helper.py
 create mode 100644 neutron_lib/tests/unit/api/definitions/test_expose_l3_conntrack_helper.py
 create mode 100644 neutron_lib/tests/unit/api/definitions/test_l3_conntrack_helper.py
 create mode 100644 releasenotes/notes/l3_conntrack_helper-f186bcdcc31bcaf2.yaml

diff --git a/api-ref/source/v2/index.rst b/api-ref/source/v2/index.rst
index 918a21498..5136c4118 100644
--- a/api-ref/source/v2/index.rst
+++ b/api-ref/source/v2/index.rst
@@ -26,6 +26,7 @@ Layer 2 Networking
 Layer 3 Networking
 ##################
 .. include:: address-scopes.inc
+.. include:: l3-conntrack-helper.inc
 .. include:: floatingips.inc
 .. include:: floatingippools.inc
 .. include:: fip-port-forwarding.inc
diff --git a/api-ref/source/v2/l3-conntrack-helper.inc b/api-ref/source/v2/l3-conntrack-helper.inc
new file mode 100644
index 000000000..211b4607f
--- /dev/null
+++ b/api-ref/source/v2/l3-conntrack-helper.inc
@@ -0,0 +1,212 @@
+.. -*- rst -*-
+
+==========================================
+Routers Conntrack Helper (CT) target rules
+==========================================
+
+Lists, creates, shows details for, updates, and deletes router conntrack helper
+(CT) target rules.
+
+Show conntrack helper
+=====================
+
+.. rest_method:: GET /v2.0/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
+
+Shows information for a router conntrack helper.
+
+Use the ``fields`` query parameter to control which fields are returned in the response body.
+For information, see `Filtering and Column Selection <https://wiki.openstack.org/wiki/Neutron/APIv2
+-specification#Filtering_and_Column_Selection>`__.
+
+Normal response codes: 200
+
+Error response codes: 400, 404
+
+Request
+-------
+
+.. rest_parameters:: parameters.yaml
+
+   - router_id: router_id
+   - conntrack_helper_id: conntrack_helper_id-path
+   - fields: fields
+
+Response Parameters
+-------------------
+
+.. rest_parameters:: parameters.yaml
+
+   - conntrack_helper: conntrack_helper
+   - helper: conntrack_helper_helper-body
+   - id: conntrack_helper_id-body
+   - protocol: conntrack_helper_protocol-body
+   - port: conntrack_helper_port-body
+
+Response Example
+----------------
+
+.. literalinclude:: samples/conntrack_helpers/conntrack-helper-show-response.json
+   :language: javascript
+
+Update a conntrack helper
+=========================
+
+.. rest_method:: PUT /v2.0/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
+
+Updates a router conntrack helper.
+
+Normal response codes: 200
+
+Error response codes: 400, 404
+
+Request
+-------
+
+.. rest_parameters:: parameters.yaml
+
+   - router_id: router_id
+   - conntrack_helper_id: conntrack_helper_id-path
+   - helper: conntrack_helper_helper-update
+   - protocol: conntrack_helper_protocol-update
+   - port: conntrack_helper_port-update
+
+
+Request Example
+---------------
+
+.. literalinclude:: samples/conntrack_helpers/conntrack-helper-update-request.json
+   :language: javascript
+
+Response Parameters
+-------------------
+
+.. rest_parameters:: parameters.yaml
+
+   - conntrack_helper: conntrack_helper
+   - id: conntrack_helper_id-body
+   - helper: conntrack_helper_helper-body
+   - protocol: conntrack_helper_protocol-body
+   - port: conntrack_helper_port-body
+
+Response Example
+----------------
+
+.. literalinclude:: samples/conntrack_helpers/conntrack-helper-update-response.json
+   :language: javascript
+
+Delete a conntrack helper
+=========================
+
+.. rest_method:: DELETE /v2.0/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
+
+Deletes a router conntrack helper.
+
+Normal response codes: 204
+
+Error response codes: 404
+
+Request
+-------
+
+.. rest_parameters:: parameters.yaml
+
+   - router_id: router_id
+   - conntrack_helper_id: conntrack_helper_id-path
+
+Response
+--------
+
+There is no body content for the response of a successful DELETE request.
+
+List router conntrack helpers
+=============================
+
+.. rest_method:: GET /v2.0/routers/{router_id}/conntrack_helpers
+
+Lists router conntrack helpers associated with a router.
+
+Use the ``fields`` query parameter to control which fields are returned in the response body.
+Additionally, you can filter results by using query string parameters.
+For information, see `Filtering and Column Selection <https://wiki.openstack.org/wiki/Neutron/APIv2
+-specification#Filtering_and_Column_Selection>`__.
+
+Normal response codes: 200
+
+Error response codes: 400, 404
+
+Request
+-------
+
+.. rest_parameters:: parameters.yaml
+
+   - router_id: router_id
+   - id: id-query
+   - helper: conntrack_helper_helper-query
+   - protocol: conntrack_helper_protocol-query
+   - port: conntrack_helper_port-query
+   - sort_key: conntrack_helper-sort_key
+   - sort_dir: sort_dir
+   - fields: fields
+
+Response Parameters
+-------------------
+
+.. rest_parameters:: parameters.yaml
+
+   - conntrack_helpers: conntrack_helpers
+   - id: conntrack_helper_id-body
+   - helper: conntrack_helper_helper-body
+   - protocol: conntrack_helper_protocol-body
+   - port: conntrack_helper_port-body
+
+Response Example
+----------------
+
+.. literalinclude:: samples/conntrack_helpers/conntrack-helper-list-response.json
+   :language: javascript
+
+Create conntrack helper
+=======================
+
+.. rest_method::  POST /v2.0/routers/{router_id}/conntrack_helpers
+
+Creates a router conntrack helper.
+
+Normal response codes: 201
+
+Error response codes: 400, 404
+
+Request
+-------
+
+.. rest_parameters:: parameters.yaml
+
+   - conntrack_helper: conntrack_helper
+   - router_id: router_id
+   - helper: conntrack_helper_helper-body
+   - protocol: conntrack_helper_protocol-body
+   - port: conntrack_helper_port-body
+
+
+Request Example
+---------------
+
+.. literalinclude:: samples/conntrack_helpers/conntrack-helper-create-request.json
+   :language: javascript
+
+Response Parameters
+-------------------
+
+.. rest_parameters:: parameters.yaml
+
+   - conntrack_helper: conntrack_helper
+   - id: conntrack_helper_id-body
+   - helper: conntrack_helper_helper-body
+   - protocol: conntrack_helper_protocol-body
+   - port: conntrack_helper_port-body
+
+Response Example
+----------------
+
+.. literalinclude:: samples/conntrack_helpers/conntrack-helper-create-response.json
+   :language: javascript
diff --git a/api-ref/source/v2/parameters.yaml b/api-ref/source/v2/parameters.yaml
index 6cb6ccff6..c5399ec27 100644
--- a/api-ref/source/v2/parameters.yaml
+++ b/api-ref/source/v2/parameters.yaml
@@ -43,6 +43,12 @@ connection_id-path:
   in: path
   required: true
   type: string
+conntrack_helper_id-path:
+  description: |
+    The ID of the conntrack helper.
+  in: path
+  required: true
+  type: string
 dscp_rule_id:
   description: |
     The ID of the DSCP rule.
@@ -401,6 +407,36 @@ cidr-query:
   in: query
   required: false
   type: string
+conntrack_helper-sort_key:
+  description: |
+    Sorts by a conntrack helper ID attribute. You can specify multiple pairs of
+    sort key and sort direction query parameters. The sort keys are limited to:
+
+    - ``id``
+    - ``helper``
+    - ``port``
+    - ``protocol``
+  in: query
+  required: false
+  type: string
+conntrack_helper_helper-query:
+  description: |
+    Filter the list result by the used helper.
+  in: query
+  required: false
+  type: string
+conntrack_helper_port-query:
+  description: |
+    Filter the list result by the used port.
+  in: query
+  required: false
+  type: integer
+conntrack_helper_protocol-query:
+  description: |
+    Filter the list result by the used protocol.
+  in: query
+  required: false
+  type: string
 default_prefixlen-query:
   description: |
     Filter the subnet pool list result by the size of the prefix to allocate
@@ -2051,6 +2087,60 @@ connection_limit-response:
   in: body
   required: true
   type: integer
+conntrack_helper:
+  description: |
+    A router ``conntrack helper`` object.
+  in: body
+  required: true
+  type: object
+conntrack_helper_helper-body:
+  description: |
+    The netfilter conntrack helper module.
+  in: body
+  required: true
+  type: string
+conntrack_helper_helper-update:
+  description: |
+    The netfilter conntrack helper module.
+  in: body
+  required: false
+  type: string
+conntrack_helper_id-body:
+  description: |
+    The ID of the conntrack helper.
+  in: body
+  required: true
+  type: string
+conntrack_helper_port-body:
+  description: |
+    The network port for the netfilter conntrack target rule.
+  in: body
+  required: true
+  type: integer
+conntrack_helper_port-update:
+  description: |
+    The network port for the netfilter conntrack target rule.
+  in: body
+  required: false
+  type: integer
+conntrack_helper_protocol-body:
+  description: |
+    The network protocol for the netfilter conntrack target rule.
+  in: body
+  required: true
+  type: string
+conntrack_helper_protocol-update:
+  description: |
+    The network protocol for the netfilter conntrack target rule.
+  in: body
+  required: false
+  type: string
+conntrack_helpers:
+  description: |
+    A list of ``router conntrack helpers`` objects.
+  in: body
+  required: true
+  type: array
 created_at_resource:
   description: |
     Time at which the resource has been created (in UTC ISO8601 format).
@@ -5305,6 +5395,16 @@ router-availability_zones:
   in: body
   required: true
   type: array
+router-conntrack_helpers:
+  description: |
+    The associated conntrack helper resources for the roter. If the
+    router has multiple conntrack helper resources, this field has
+    multiple entries. Each entry consists of netfilter conntrack helper
+    (``helper``), the network protocol (``protocol``), the network port
+    (``port``).
+  in: body
+  required: true
+  type: array
 router-destination:
   description: |
     The destination CIDR.
diff --git a/api-ref/source/v2/routers.inc b/api-ref/source/v2/routers.inc
index f0d649e00..4a4a7e482 100644
--- a/api-ref/source/v2/routers.inc
+++ b/api-ref/source/v2/routers.inc
@@ -75,6 +75,13 @@ The ``standard-attr-tag`` adds Tag support for resources with
 standard attributes by adding the ``tags`` attribute
 allowing consumers to associate tags with resources.
 
+L3 conntrack helpers extension (``expose-l3-conntrack-helper``)
+===============================================================
+
+The router conntrack helper extension (``expose-l3-conntrack-helper``) adds the
+``conntrack_helpers`` field to routers, allowing configurable netfilter CT
+target rules for ``routers``.
+
 
 List routers
 ============
@@ -144,6 +151,7 @@ Response Parameters
    - created_at: created_at_resource
    - updated_at: updated_at_resource
    - tags: tags
+   - conntrack_helpers: router-conntrack_helpers
 
 Response Example
 ----------------
@@ -223,6 +231,7 @@ Response Parameters
    - created_at: created_at_resource
    - updated_at: updated_at_resource
    - tags: tags
+   - conntrack_helpers: router-conntrack_helpers
 
 Response Example
 ----------------
@@ -282,6 +291,7 @@ Response Parameters
    - created_at: created_at_resource
    - updated_at: updated_at_resource
    - tags: tags
+   - conntrack_helpers: router-conntrack_helpers
 
 Response Example
 ----------------
@@ -352,6 +362,7 @@ Response Parameters
    - created_at: created_at_resource
    - updated_at: updated_at_resource
    - tags: tags
+   - conntrack_helpers: router-conntrack_helpers
 
 Response Example
 ----------------
diff --git a/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-request.json b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-request.json
new file mode 100644
index 000000000..7ace7ed80
--- /dev/null
+++ b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-request.json
@@ -0,0 +1,7 @@
+{
+    "conntrack_helper": {
+        "protocol": "udp",
+        "port": 2121,
+        "helper": "ftp"
+    }
+}
diff --git a/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-response.json b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-response.json
new file mode 100644
index 000000000..14ac51c8b
--- /dev/null
+++ b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-create-response.json
@@ -0,0 +1,8 @@
+{
+    "conntrack_helper": {
+        "protocol": "tcp",
+        "id": "32925de7-580e-4ca9-bfd7-c2c2cefbd2ad",
+        "helper": "ftp",
+        "port": 21
+    }
+}
diff --git a/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-list-response.json b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-list-response.json
new file mode 100644
index 000000000..5141274b4
--- /dev/null
+++ b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-list-response.json
@@ -0,0 +1,16 @@
+{
+    "conntrack_helpers": [
+        {
+            "protocol": "udp",
+            "id": "2fc1eebb-e0fa-4c40-868a-7ace444717e1",
+            "helper": "tftp",
+            "port": 6969
+        },
+        {
+            "protocol": "tcp",
+            "id": "ee7c890f-44fa-443d-9326-8574c1c3e5e1",
+            "helper": "ftp",
+            "port": 21
+        }
+    ]
+}
\ No newline at end of file
diff --git a/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-show-response.json b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-show-response.json
new file mode 100644
index 000000000..68a844a09
--- /dev/null
+++ b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-show-response.json
@@ -0,0 +1,8 @@
+{
+    "conntrack_helper": {
+        "protocol": "tcp",
+        "id": "2fc1eebb-e0fa-4c40-868a-7ace444717e1",
+        "helper": "ftp",
+        "port": 21
+    }
+}
diff --git a/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-request.json b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-request.json
new file mode 100644
index 000000000..e26e1f7da
--- /dev/null
+++ b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-request.json
@@ -0,0 +1,7 @@
+{
+    "conntrack_helper": {
+        "helper": "tftp",
+        "protocol": "udp",
+        "port": 69
+    }
+}
diff --git a/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-response.json b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-response.json
new file mode 100644
index 000000000..6053502eb
--- /dev/null
+++ b/api-ref/source/v2/samples/conntrack_helpers/conntrack-helper-update-response.json
@@ -0,0 +1,8 @@
+{
+    "conntrack_helper": {
+        "protocol": "udp",
+        "id": "2fc1eebb-e0fa-4c40-868a-7ace444717e1",
+        "helper": "tftp",
+        "port": 69
+    }
+}
diff --git a/api-ref/source/v2/samples/routers/router-create-response.json b/api-ref/source/v2/samples/routers/router-create-response.json
index cbf5855de..090c643c7 100644
--- a/api-ref/source/v2/samples/routers/router-create-response.json
+++ b/api-ref/source/v2/samples/routers/router-create-response.json
@@ -29,6 +29,7 @@
         "project_id": "0bd18306d801447bb457a46252d82d13",
         "tenant_id": "0bd18306d801447bb457a46252d82d13",
         "service_type_id": null,
-        "tags": ["tag1,tag2"]
+        "tags": ["tag1,tag2"],
+        "conntrack_helpers": []
     }
 }
diff --git a/api-ref/source/v2/samples/routers/router-show-response.json b/api-ref/source/v2/samples/routers/router-show-response.json
index 1676c02de..4741ac37d 100644
--- a/api-ref/source/v2/samples/routers/router-show-response.json
+++ b/api-ref/source/v2/samples/routers/router-show-response.json
@@ -38,6 +38,7 @@
         "project_id": "0bd18306d801447bb457a46252d82d13",
         "tenant_id": "0bd18306d801447bb457a46252d82d13",
         "service_type_id": null,
-        "tags": ["tag1,tag2"]
+        "tags": ["tag1,tag2"],
+        "conntrack_helpers": []
     }
 }
diff --git a/api-ref/source/v2/samples/routers/router-update-response.json b/api-ref/source/v2/samples/routers/router-update-response.json
index d90cff15a..9e3229a15 100644
--- a/api-ref/source/v2/samples/routers/router-update-response.json
+++ b/api-ref/source/v2/samples/routers/router-update-response.json
@@ -34,6 +34,7 @@
         "project_id": "0bd18306d801447bb457a46252d82d13",
         "tenant_id": "0bd18306d801447bb457a46252d82d13",
         "service_type_id": null,
-        "tags": ["tag1,tag2"]
+        "tags": ["tag1,tag2"],
+        "conntrack_helpers": []
     }
 }
diff --git a/api-ref/source/v2/samples/routers/routers-list-response.json b/api-ref/source/v2/samples/routers/routers-list-response.json
index 3569357d4..60cb2618d 100644
--- a/api-ref/source/v2/samples/routers/routers-list-response.json
+++ b/api-ref/source/v2/samples/routers/routers-list-response.json
@@ -39,7 +39,19 @@
             "project_id": "0bd18306d801447bb457a46252d82d13",
             "tenant_id": "0bd18306d801447bb457a46252d82d13",
             "service_type_id": null,
-            "tags": ["tag1,tag2"]
+            "tags": ["tag1,tag2"],
+            "conntrack_helpers": [
+                {
+                    "protocol": "udp",
+                    "helper": "tftp",
+                    "port": 69
+                },
+                {
+                    "protocol": "tcp",
+                    "helper": "ftp",
+                    "port": 21
+                }
+            ]
         },
         {
             "admin_state_up": true,
@@ -75,7 +87,19 @@
             "project_id": "0bd18306d801447bb457a46252d82d13",
             "tenant_id": "0bd18306d801447bb457a46252d82d13",
             "service_type_id": null,
-            "tags": ["tag1,tag2"]
+            "tags": ["tag1,tag2"],
+            "conntrack_helpers": [
+                {
+                    "protocol": "udp",
+                    "helper": "tftp",
+                    "port": 69
+                },
+                {
+                    "protocol": "tcp",
+                    "helper": "ftp",
+                    "port": 21
+                }
+            ]
         }
     ]
 }
diff --git a/neutron_lib/api/definitions/__init__.py b/neutron_lib/api/definitions/__init__.py
index 441e1fde0..26944e397 100644
--- a/neutron_lib/api/definitions/__init__.py
+++ b/neutron_lib/api/definitions/__init__.py
@@ -31,6 +31,7 @@ from neutron_lib.api.definitions import dns
 from neutron_lib.api.definitions import dns_domain_ports
 from neutron_lib.api.definitions import dvr
 from neutron_lib.api.definitions import empty_string_filtering
+from neutron_lib.api.definitions import expose_l3_conntrack_helper
 from neutron_lib.api.definitions import expose_port_forwarding_in_fip
 from neutron_lib.api.definitions import external_net
 from neutron_lib.api.definitions import extra_dhcp_opt
@@ -51,6 +52,7 @@ from neutron_lib.api.definitions import ip_allocation
 from neutron_lib.api.definitions import ip_substring_port_filtering
 from neutron_lib.api.definitions import l2_adjacency
 from neutron_lib.api.definitions import l3
+from neutron_lib.api.definitions import l3_conntrack_helper
 from neutron_lib.api.definitions import l3_ext_gw_mode
 from neutron_lib.api.definitions import l3_ext_ha_mode
 from neutron_lib.api.definitions import l3_flavors
@@ -133,6 +135,7 @@ _ALL_API_DEFINITIONS = {
     dns_domain_ports,
     dvr,
     empty_string_filtering,
+    expose_l3_conntrack_helper,
     expose_port_forwarding_in_fip,
     external_net,
     extra_dhcp_opt,
@@ -153,6 +156,7 @@ _ALL_API_DEFINITIONS = {
     l2_adjacency,
     flowclassifier,
     l3,
+    l3_conntrack_helper,
     l3_ext_gw_mode,
     l3_ext_ha_mode,
     l3_flavors,
diff --git a/neutron_lib/api/definitions/base.py b/neutron_lib/api/definitions/base.py
index 81d6b10cb..b293aa63e 100644
--- a/neutron_lib/api/definitions/base.py
+++ b/neutron_lib/api/definitions/base.py
@@ -91,6 +91,7 @@ KNOWN_EXTENSIONS = (
     'dns-integration',
     'dvr',
     'empty-string-filtering',
+    'expose-l3-conntrack-helper',
     'expose-port-forwarding-in-fip',
     'ext-gw-mode',
     'external-net',
@@ -103,6 +104,7 @@ KNOWN_EXTENSIONS = (
     'floatingip-autodelete-internal',
     'floatingip-pools',
     'ip-substring-filtering',
+    'l3-conntrack-helper',
     'l3-ha',
     'l3_agent_scheduler',
     'l3-port-ip-change-not-allowed',
diff --git a/neutron_lib/api/definitions/expose_l3_conntrack_helper.py b/neutron_lib/api/definitions/expose_l3_conntrack_helper.py
new file mode 100644
index 000000000..4f7dda3d5
--- /dev/null
+++ b/neutron_lib/api/definitions/expose_l3_conntrack_helper.py
@@ -0,0 +1,42 @@
+# Copyright (c) 2019 OpenStack Foundation
+# All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import l3
+from neutron_lib.api.definitions import l3_conntrack_helper
+
+ALIAS = "expose-l3-conntrack-helper"
+IS_SHIM_EXTENSION = False
+IS_STANDARD_ATTR_EXTENSION = False
+NAME = 'Expose CT target rules for conntrack helper'
+API_PREFIX = ''
+DESCRIPTION = 'Expose allow adding CT target rules for conntrack helper'
+UPDATED_TIMESTAMP = '2019-04-04T10:00:00-00:00'
+RESOURCE_NAME = l3.ROUTER
+COLLECTION_NAME = l3.ROUTERS
+RESOURCE_ATTRIBUTE_MAP = {
+    COLLECTION_NAME: {
+        l3_conntrack_helper.COLLECTION_NAME: {
+            'allow_post': False,
+            'allow_put': False,
+            'is_visible': True,
+            'default': None
+        }
+    }
+}
+SUB_RESOURCE_ATTRIBUTE_MAP = {}
+ACTION_MAP = {}
+REQUIRED_EXTENSIONS = [l3.ALIAS, l3_conntrack_helper.ALIAS]
+OPTIONAL_EXTENSIONS = []
+ACTION_STATUS = {}
diff --git a/neutron_lib/api/definitions/l3_conntrack_helper.py b/neutron_lib/api/definitions/l3_conntrack_helper.py
new file mode 100644
index 000000000..a872d7f07
--- /dev/null
+++ b/neutron_lib/api/definitions/l3_conntrack_helper.py
@@ -0,0 +1,127 @@
+# Copyright (c) 2019 OpenStack Foundation
+# All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api import converters
+from neutron_lib.api.definitions import l3
+from neutron_lib.api import validators
+from neutron_lib import constants
+from neutron_lib.db import constants as db_const
+
+PROTOCOLS = constants.IPTABLES_PROTOCOL_MAP.keys()
+
+# The alias of the extension.
+ALIAS = 'l3-conntrack-helper'
+
+# Whether or not this extension is simply signaling behavior to the user
+# or it actively modifies the attribute map.
+IS_SHIM_EXTENSION = False
+
+# Whether the extension is marking the adoption of standardattr model for
+# legacy resources, or introducing new standardattr attributes. False or
+# None if the standardattr model is adopted since the introduction of
+# resource extension.
+# If this is True, the alias for the extension should be prefixed with
+# 'standard-attr-'.
+IS_STANDARD_ATTR_EXTENSION = False
+
+# The name of the extension.
+NAME = 'L3 Conntrack helper'
+
+# A prefix for API resources. An empty prefix means that the API is going
+# to be exposed at the v2/ level as any other core resource.
+API_PREFIX = '/' + l3.ROUTERS
+
+# The description of the extension.
+DESCRIPTION = "Allow adding CT target rules for conntrack helper"
+
+# A timestamp of when the extension was introduced.
+UPDATED_TIMESTAMP = "2019-04-04T10:00:00-00:00"
+
+# The name of the resource.
+RESOURCE_NAME = 'conntrack_helper'
+
+# The plural for the resource.
+COLLECTION_NAME = 'conntrack_helpers'
+
+# parent
+PARENT_RESOURCE_NAME = l3.ROUTER
+PARENT_COLLECTION_NAME = l3.ROUTERS
+
+ID = 'id'
+PROJECT_ID = 'project_id'
+PROTOCOL = 'protocol'
+PORT = 'port'
+HELPER = 'helper'
+RESOURCE_ATTRIBUTE_MAP = {}
+
+# The subresource attribute map for the extension. It adds child resources
+# to main extension's resource. The subresource map must have a parent and
+# a parameters entry. If an extension does not need such a map, None can
+# be specified (mandatory).
+SUB_RESOURCE_ATTRIBUTE_MAP = {
+    COLLECTION_NAME: {
+        'parent': {'collection_name': PARENT_COLLECTION_NAME,
+                   'member_name': PARENT_RESOURCE_NAME},
+        'parameters': {
+            ID: {'allow_post': False,
+                 'allow_put': False,
+                 'validate': {'type:uuid': None},
+                 'is_visible': True,
+                 'primary_key': True,
+                 'is_sort_key': True,
+                 'is_filter': True},
+            PROJECT_ID: {'allow_post': True,
+                         'allow_put': False,
+                         'validate': {
+                             'type:string': db_const.PROJECT_ID_FIELD_SIZE},
+                         'required_by_policy': True,
+                         'is_visible': False},
+            PROTOCOL: {'allow_post': True, 'allow_put': True,
+                       'validate': {'type:values': PROTOCOLS},
+                       'is_visible': True,
+                       'convert_to': converters.convert_to_protocol,
+                       'is_sort_key': True,
+                       'is_filter': True},
+            PORT: {'allow_post': True, 'allow_put': True,
+                   'convert_to': converters.convert_to_int,
+                   'validate': {'type:range': [1, 65535]},
+                   'is_visible': True,
+                   'is_sort_key': True,
+                   'is_filter': True},
+            HELPER: {'allow_post': True, 'allow_put': True,
+                     'convert_to': converters.convert_to_string,
+                     'validate': {'type:string': validators.validate_string},
+                     'is_visible': True,
+                     'is_sort_key': True,
+                     'is_filter': True},
+        }
+    }
+}
+
+# The action map: it associates verbs with methods to be performed on
+# the API resource.
+ACTION_MAP = {
+}
+
+# The action status.
+ACTION_STATUS = {
+}
+
+# The list of required extensions.
+REQUIRED_EXTENSIONS = [l3.ALIAS]
+
+# The list of optional extensions.
+OPTIONAL_EXTENSIONS = [
+]
diff --git a/neutron_lib/tests/unit/api/definitions/test_expose_l3_conntrack_helper.py b/neutron_lib/tests/unit/api/definitions/test_expose_l3_conntrack_helper.py
new file mode 100644
index 000000000..5e104243c
--- /dev/null
+++ b/neutron_lib/tests/unit/api/definitions/test_expose_l3_conntrack_helper.py
@@ -0,0 +1,24 @@
+# Copyright (c) 2019 OpenStack Foundation
+# All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import expose_l3_conntrack_helper
+from neutron_lib.api.definitions import l3_conntrack_helper
+from neutron_lib.tests.unit.api.definitions import base
+
+
+class ExposeL3ConntrackHelperDefinitionTestCase(base.DefinitionBaseTestCase):
+    extension_module = expose_l3_conntrack_helper
+    extension_resources = (expose_l3_conntrack_helper.COLLECTION_NAME,)
+    extension_attributes = (l3_conntrack_helper.COLLECTION_NAME,)
diff --git a/neutron_lib/tests/unit/api/definitions/test_l3_conntrack_helper.py b/neutron_lib/tests/unit/api/definitions/test_l3_conntrack_helper.py
new file mode 100644
index 000000000..b980fb402
--- /dev/null
+++ b/neutron_lib/tests/unit/api/definitions/test_l3_conntrack_helper.py
@@ -0,0 +1,28 @@
+# Copyright (c) 2019 OpenStack Foundation
+# All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import l3_conntrack_helper
+from neutron_lib.tests.unit.api.definitions import base
+
+
+class ConntrackHelperDefinitionTestCase(base.DefinitionBaseTestCase):
+    extension_module = l3_conntrack_helper
+    extension_resources = (l3_conntrack_helper.PARENT_COLLECTION_NAME,)
+    extension_attributes = (l3_conntrack_helper.ID,
+                            l3_conntrack_helper.PROTOCOL,
+                            l3_conntrack_helper.PORT,
+                            l3_conntrack_helper.HELPER,
+                            l3_conntrack_helper.PROJECT_ID)
+    extension_subresources = (l3_conntrack_helper.COLLECTION_NAME,)
diff --git a/releasenotes/notes/l3_conntrack_helper-f186bcdcc31bcaf2.yaml b/releasenotes/notes/l3_conntrack_helper-f186bcdcc31bcaf2.yaml
new file mode 100644
index 000000000..690363e06
--- /dev/null
+++ b/releasenotes/notes/l3_conntrack_helper-f186bcdcc31bcaf2.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The ``l3-conntrack-helper`` API definition for ``Router`` is introduced,
+    which allows conntrack helper target rules to be set for a ``Router``.
+  - |
+    Introduced ``expose-l3-conntrack-helper`` API extension for exposing
+    ``conntrack_helpers`` field in ``Router`` API response. This extension
+    requires the ``router`` and ``conntrack_helper`` service plugins.