diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 631fcc6bc12..ffe0a727290 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -599,9 +599,15 @@ class IptablesFirewallDriver(firewall.FirewallDriver): rule, port, direction)) return port_rules + def _get_any_remote_group_id_in_rule(self, rule): + remote_group_id = rule.get('remote_group_id') + if not remote_group_id: + remote_group_id = rule.get('remote_address_group_id') + return remote_group_id + def _expand_sg_rule_with_remote_ips(self, rule, port, direction): """Expand a remote group rule to rule per remote group IP.""" - remote_group_id = rule.get('remote_group_id') + remote_group_id = self._get_any_remote_group_id_in_rule(rule) if remote_group_id: ethertype = rule['ethertype'] port_ips = port.get('fixed_ips', []) @@ -623,7 +629,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): for sg_id in sg_ids: for rule in self.sg_rules.get(sg_id, []): if not direction or rule['direction'] == direction: - remote_sg_id = rule.get('remote_group_id') + remote_sg_id = self._get_any_remote_group_id_in_rule(rule) ether_type = rule.get('ethertype') if remote_sg_id and ether_type: remote_sg_ids[ether_type].add(remote_sg_id) @@ -703,7 +709,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): return args def _convert_sg_rule_to_iptables_args(self, sg_rule): - remote_gid = sg_rule.get('remote_group_id') + remote_gid = self._get_any_remote_group_id_in_rule(sg_rule) if self.enable_ipset and remote_gid: return self._generate_ipset_rule_args(sg_rule, remote_gid) else: diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index b177c7ee06c..89434db9660 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -2333,6 +2333,22 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase): self.firewall.ipset.assert_has_calls(calls, True) + def test__get_any_remote_group_id_in_rule_with_remote_group(self): + sg_rule = {'direction': 'ingress', + 'remote_group_id': FAKE_SGID, + 'ethertype': _IPv4} + + self.assertEqual(FAKE_SGID, + self.firewall._get_any_remote_group_id_in_rule(sg_rule)) + + def test__get_any_remote_group_id_in_rule_with_remote_address_group(self): + sg_rule = {'direction': 'ingress', + 'remote_address_group_id': FAKE_SGID, + 'ethertype': _IPv6} + + self.assertEqual(FAKE_SGID, + self.firewall._get_any_remote_group_id_in_rule(sg_rule)) + def test_sg_rule_expansion_with_remote_ips(self): other_ips = [('10.0.0.2', 'fa:16:3e:aa:bb:c1'), ('10.0.0.3', 'fa:16:3e:aa:bb:c2'), diff --git a/releasenotes/notes/iptables-support-remote-address-groups-89da589aad3c01d3.yaml b/releasenotes/notes/iptables-support-remote-address-groups-89da589aad3c01d3.yaml new file mode 100644 index 00000000000..160b6b2af5a --- /dev/null +++ b/releasenotes/notes/iptables-support-remote-address-groups-89da589aad3c01d3.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Remote address group support was added to the iptables-based firewall + drivers (IptablesFirewallDriver and OVSHybridIptablesFirewallDriver), + Previously it was only available in the OVSFirewallDriver. + For more information, see bug + `2058138 `_. \ No newline at end of file