Revert "Setup firewall filters only for required ports"
This reverts commit 75edc1ff28.
Ports with port security disabled require firewall entries in
neutron-openvswi-FORWARD chain to work properly.
Ports created with no security groups will not get skipped with current
code.
With fixed security groups check, these ports' security groups can not
be updated after creation.
Change-Id: I95ddbe38d8ac8a927a860a98f54e41e17fb71d43
Closes-Bug: #1549443
This commit is contained in:
Bernard Cafarelli
Daniel Alvarez
parent
4ae6790d82
commit
a8b6a597b6
|
|
@ -1481,7 +1481,6 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
def treat_devices_added_or_updated(self, devices, ovs_restarted):
|
||||
skipped_devices = []
|
||||
need_binding_devices = []
|
||||
security_disabled_devices = []
|
||||
devices_details_list = (
|
||||
self.plugin_rpc.get_devices_details_list_and_failed_devices(
|
||||
self.context,
|
||||
|
|
@ -1519,11 +1518,6 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
ovs_restarted)
|
||||
if need_binding:
|
||||
need_binding_devices.append(details)
|
||||
|
||||
port_security = details['port_security_enabled']
|
||||
has_sgs = 'security_groups' in details
|
||||
if not port_security or not has_sgs:
|
||||
security_disabled_devices.append(device)
|
||||
self._update_port_network(details['port_id'],
|
||||
details['network_id'])
|
||||
self.ext_manager.handle_port(self.context, details)
|
||||
|
|
@ -1534,7 +1528,7 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
if (port and port.ofport != -1):
|
||||
self.port_dead(port)
|
||||
return (skipped_devices, need_binding_devices,
|
||||
security_disabled_devices, failed_devices)
|
||||
failed_devices)
|
||||
|
||||
def _update_port_network(self, port_id, network_id):
|
||||
self._clean_network_ports(port_id)
|
||||
|
|
@ -1614,12 +1608,11 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
devices_added_updated = (port_info.get('added', set()) |
|
||||
port_info.get('updated', set()))
|
||||
need_binding_devices = []
|
||||
security_disabled_ports = []
|
||||
skipped_devices = set()
|
||||
if devices_added_updated:
|
||||
start = time.time()
|
||||
(skipped_devices, need_binding_devices,
|
||||
security_disabled_ports, failed_devices['added']) = (
|
||||
failed_devices['added']) = (
|
||||
self.treat_devices_added_or_updated(
|
||||
devices_added_updated, ovs_restarted))
|
||||
LOG.debug("process_network_ports - iteration:%(iter_num)d - "
|
||||
|
|
@ -1640,8 +1633,6 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
# unnecessarily, (eg: when there are no IP address changes)
|
||||
added_ports = port_info.get('added', set()) - skipped_devices
|
||||
self._add_port_tag_info(need_binding_devices)
|
||||
if security_disabled_ports:
|
||||
added_ports -= set(security_disabled_ports)
|
||||
self.sg_agent.setup_port_filters(added_ports,
|
||||
port_info.get('updated', set()))
|
||||
failed_devices['added'] |= self._bind_devices(need_binding_devices)
|
||||
|
|
|
|||
|
|
@ -127,8 +127,6 @@ class RpcCallbacks(type_tunnel.TunnelRpcCallbackMixin):
|
|||
'qos_policy_id': port.get(qos_consts.QOS_POLICY_ID),
|
||||
'network_qos_policy_id': network_qos_policy_id,
|
||||
'profile': port[portbindings.PROFILE]}
|
||||
if 'security_groups' in port:
|
||||
entry['security_groups'] = port['security_groups']
|
||||
LOG.debug("Returning: %s", entry)
|
||||
return entry
|
||||
|
||||
|
|
|
|||
|
|
@ -212,8 +212,6 @@ class OVSAgentTestFramework(base.BaseOVSLinuxTestCase):
|
|||
'segmentation_id': network.get('segmentation_id', 1),
|
||||
'fixed_ips': port['fixed_ips'],
|
||||
'device_owner': n_const.DEVICE_OWNER_COMPUTE_PREFIX,
|
||||
'port_security_enabled': True,
|
||||
'security_groups': ['default'],
|
||||
'admin_state_up': True}
|
||||
return dev
|
||||
|
||||
|
|
|
|||
|
|
@ -768,7 +768,7 @@ class TestOvsNeutronAgent(object):
|
|||
'get_port_tag_dict',
|
||||
return_value={}),\
|
||||
mock.patch.object(self.agent, func_name) as func:
|
||||
skip_devs, need_bound_devices, insecure_ports, _ = (
|
||||
skip_devs, need_bound_devices, _ = (
|
||||
self.agent.treat_devices_added_or_updated([], False))
|
||||
# The function should not raise
|
||||
self.assertFalse(skip_devs)
|
||||
|
|
@ -842,7 +842,7 @@ class TestOvsNeutronAgent(object):
|
|||
skip_devs = self.agent.treat_devices_added_or_updated([], False)
|
||||
# The function should return False for resync and no device
|
||||
# processed
|
||||
self.assertEqual((['the_skipped_one'], [], [], set()), skip_devs)
|
||||
self.assertEqual((['the_skipped_one'], [], set()), skip_devs)
|
||||
self.assertFalse(treat_vif_port.called)
|
||||
|
||||
def test_treat_devices_added_failed_devices(self):
|
||||
|
|
@ -857,7 +857,7 @@ class TestOvsNeutronAgent(object):
|
|||
mock.patch.object(self.agent,
|
||||
'treat_vif_port') as treat_vif_port:
|
||||
failed_devices = {'added': set(), 'removed': set()}
|
||||
(_, _, _, failed_devices['added']) = (
|
||||
(_, _, failed_devices['added']) = (
|
||||
self.agent.treat_devices_added_or_updated([], False))
|
||||
# The function should return False for resync and no device
|
||||
# processed
|
||||
|
|
@ -874,8 +874,7 @@ class TestOvsNeutronAgent(object):
|
|||
'network_type': 'baz',
|
||||
'fixed_ips': [{'subnet_id': 'my-subnet-uuid',
|
||||
'ip_address': '1.1.1.1'}],
|
||||
'device_owner': DEVICE_OWNER_COMPUTE,
|
||||
'port_security_enabled': True
|
||||
'device_owner': DEVICE_OWNER_COMPUTE
|
||||
}
|
||||
|
||||
with mock.patch.object(self.agent.plugin_rpc,
|
||||
|
|
@ -889,7 +888,7 @@ class TestOvsNeutronAgent(object):
|
|||
return_value={}),\
|
||||
mock.patch.object(self.agent,
|
||||
'treat_vif_port') as treat_vif_port:
|
||||
skip_devs, need_bound_devices, insecure_ports, _ = (
|
||||
skip_devs, need_bound_devices, _ = (
|
||||
self.agent.treat_devices_added_or_updated([], False))
|
||||
# The function should return False for resync
|
||||
self.assertFalse(skip_devs)
|
||||
|
|
@ -956,7 +955,7 @@ class TestOvsNeutronAgent(object):
|
|||
mock.patch.object(
|
||||
self.agent, "treat_devices_added_or_updated",
|
||||
return_value=(
|
||||
skipped_devices, [], [],
|
||||
skipped_devices, [],
|
||||
failed_devices['added'])) as device_added_updated,\
|
||||
mock.patch.object(self.agent.int_br, "get_ports_attributes",
|
||||
return_value=[]),\
|
||||
|
|
@ -1001,28 +1000,6 @@ class TestOvsNeutronAgent(object):
|
|||
def test_process_network_port_with_empty_port(self):
|
||||
self._test_process_network_ports({})
|
||||
|
||||
def test_process_network_ports_with_insecure_ports(self):
|
||||
port_info = {'current': set(['tap0', 'tap1']),
|
||||
'updated': set(['tap1']),
|
||||
'removed': set([]),
|
||||
'added': set(['eth1'])}
|
||||
failed_dev = {'added': set(), 'removed': set()}
|
||||
with mock.patch.object(self.agent.sg_agent,
|
||||
"setup_port_filters") as setup_port_filters,\
|
||||
mock.patch.object(
|
||||
self.agent,
|
||||
"treat_devices_added_or_updated",
|
||||
return_value=(
|
||||
[], [], ['eth1'],
|
||||
failed_dev['added'])) as device_added_updated:
|
||||
self.assertEqual(
|
||||
failed_dev,
|
||||
self.agent.process_network_ports(port_info, False))
|
||||
device_added_updated.assert_called_once_with(
|
||||
set(['eth1', 'tap1']), False)
|
||||
setup_port_filters.assert_called_once_with(
|
||||
set(), port_info.get('updated', set()))
|
||||
|
||||
def test_hybrid_plug_flag_based_on_firewall(self):
|
||||
cfg.CONF.set_default(
|
||||
'firewall_driver',
|
||||
|
|
|
|||
Loading…
Reference in New Issue