[FWaaS] Update icmp_reachability_test for OVN backend

FWaaS is using stateless ACL rules in OVN when OVN driver is used. That
means that traffic for both directions needs to be allowed explicitely
always.
This patch adjusts
fwaas.scenario.test_fwaas_v2.TestFWaaS_v2.test_icmp_reachability_scenarios
test so that in the 3rd step it allows ICMP traffic in both directions
and test is passing.

This patch also adds new config option `driver` in the `fwaas` group.
This option can be used to tell Tempest what FWaaS driver is used in the
deployment so that appropriate test path can be choosen.

Change-Id: I4f238300069df4777245bb64f83824ea36296cc7
This commit is contained in:
Slawek Kaplonski 2025-04-23 12:48:16 +02:00
parent 1a11bc0185
commit c732e87acc
2 changed files with 20 additions and 3 deletions

View File

@ -207,6 +207,10 @@ FwaasGroup = [
deprecated_for_removal=True,
deprecated_reason='Tests are skipped according to '
'the available extensions.'),
cfg.StrOpt('driver',
default=None,
choices=['openvswitch', 'ovn'],
help='Driver used by the FWaaS plugin.'),
]
fwaas_group = cfg.OptGroup(

View File

@ -269,12 +269,11 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
# Scenario 3: Create a rule allowing ICMP only from server_fixed_ip_1
# to server_fixed_ip_2 and check that traffic from opposite direction
# is blocked.
# is blocked (for ovs driver where rules are stateful).
fw_allow_unidirectional_icmp_rule = self.create_firewall_rule(
action="allow", protocol="icmp",
source_ip_address=topology['server_fixed_ip_1'],
destination_ip_address=topology['server_fixed_ip_2'])
self.remove_firewall_rule_from_policy_and_wait(
firewall_group_id=fw_group['id'],
firewall_rule_id=fw_deny_icmp_rule['id'],
@ -284,6 +283,20 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
firewall_rule_id=fw_allow_unidirectional_icmp_rule['id'],
firewall_policy_id=fw_policy['id'])
if CONF.fwaas.driver == 'ovn':
# NOTE(slaweq): OVN driver in FWaaS implements only stateless rules
# so allowing only unidirectional traffic is not enough as ICMP
# replies are still blocked and to make it working additional rule
# for the opposite direction is required also:
fw_allow_icmp_reply_rule = self.create_firewall_rule(
action="allow", protocol="icmp",
source_ip_address=topology['server_fixed_ip_2'],
destination_ip_address=topology['server_fixed_ip_1'])
self.insert_firewall_rule_in_policy_and_wait(
firewall_group_id=fw_group['id'],
firewall_rule_id=fw_allow_icmp_reply_rule['id'],
firewall_policy_id=fw_policy['id'])
self._check_server_connectivity(
topology['server_floating_ip_1'],
topology['private_key1'],
@ -293,7 +306,7 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
topology['server_floating_ip_2'],
topology['private_key2'],
address_list=[topology['server_fixed_ip_1']],
should_connect=False)
should_connect=CONF.fwaas.driver == 'ovn')
# Disassociate ports of this firewall group for cleanup resources
self.update_firewall_group_and_wait(fw_group['id'], ports=[])