[FWaaS] Update icmp_reachability_test for OVN backend
FWaaS is using stateless ACL rules in OVN when OVN driver is used. That means that traffic for both directions needs to be allowed explicitely always. This patch adjusts fwaas.scenario.test_fwaas_v2.TestFWaaS_v2.test_icmp_reachability_scenarios test so that in the 3rd step it allows ICMP traffic in both directions and test is passing. This patch also adds new config option `driver` in the `fwaas` group. This option can be used to tell Tempest what FWaaS driver is used in the deployment so that appropriate test path can be choosen. Change-Id: I4f238300069df4777245bb64f83824ea36296cc7
This commit is contained in:
parent
1a11bc0185
commit
c732e87acc
@ -207,6 +207,10 @@ FwaasGroup = [
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason='Tests are skipped according to '
|
||||
'the available extensions.'),
|
||||
cfg.StrOpt('driver',
|
||||
default=None,
|
||||
choices=['openvswitch', 'ovn'],
|
||||
help='Driver used by the FWaaS plugin.'),
|
||||
]
|
||||
|
||||
fwaas_group = cfg.OptGroup(
|
||||
|
@ -269,12 +269,11 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
|
||||
|
||||
# Scenario 3: Create a rule allowing ICMP only from server_fixed_ip_1
|
||||
# to server_fixed_ip_2 and check that traffic from opposite direction
|
||||
# is blocked.
|
||||
# is blocked (for ovs driver where rules are stateful).
|
||||
fw_allow_unidirectional_icmp_rule = self.create_firewall_rule(
|
||||
action="allow", protocol="icmp",
|
||||
source_ip_address=topology['server_fixed_ip_1'],
|
||||
destination_ip_address=topology['server_fixed_ip_2'])
|
||||
|
||||
self.remove_firewall_rule_from_policy_and_wait(
|
||||
firewall_group_id=fw_group['id'],
|
||||
firewall_rule_id=fw_deny_icmp_rule['id'],
|
||||
@ -284,6 +283,20 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
|
||||
firewall_rule_id=fw_allow_unidirectional_icmp_rule['id'],
|
||||
firewall_policy_id=fw_policy['id'])
|
||||
|
||||
if CONF.fwaas.driver == 'ovn':
|
||||
# NOTE(slaweq): OVN driver in FWaaS implements only stateless rules
|
||||
# so allowing only unidirectional traffic is not enough as ICMP
|
||||
# replies are still blocked and to make it working additional rule
|
||||
# for the opposite direction is required also:
|
||||
fw_allow_icmp_reply_rule = self.create_firewall_rule(
|
||||
action="allow", protocol="icmp",
|
||||
source_ip_address=topology['server_fixed_ip_2'],
|
||||
destination_ip_address=topology['server_fixed_ip_1'])
|
||||
self.insert_firewall_rule_in_policy_and_wait(
|
||||
firewall_group_id=fw_group['id'],
|
||||
firewall_rule_id=fw_allow_icmp_reply_rule['id'],
|
||||
firewall_policy_id=fw_policy['id'])
|
||||
|
||||
self._check_server_connectivity(
|
||||
topology['server_floating_ip_1'],
|
||||
topology['private_key1'],
|
||||
@ -293,7 +306,7 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
|
||||
topology['server_floating_ip_2'],
|
||||
topology['private_key2'],
|
||||
address_list=[topology['server_fixed_ip_1']],
|
||||
should_connect=False)
|
||||
should_connect=CONF.fwaas.driver == 'ovn')
|
||||
|
||||
# Disassociate ports of this firewall group for cleanup resources
|
||||
self.update_firewall_group_and_wait(fw_group['id'], ports=[])
|
||||
|
Loading…
x
Reference in New Issue
Block a user