From 1a3b56a0d548c5676d3a80607fd66d30c1bbca81 Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Tue, 23 Jun 2020 17:30:04 -0700 Subject: [PATCH] Add support for nftables This patch adds support for nftables (an iptables replacement) to the devstack plugin and the amphora agent. Change-Id: I9e2c4d6e68da67d68c6dfeb3b47edd600d1ba397 --- devstack/plugin.sh | 40 ++++++--- diskimage-create/diskimage-create.sh | 3 + elements/amphora-agent/package-installs.yaml | 3 + .../static/usr/local/bin/udp-masquerade.sh | 81 +++++++++++++++++++ .../templates/plug_port_ethX.conf.j2 | 4 +- .../templates/plug_vip_ethX.conf.j2 | 4 +- .../rh_plug_port_eth_ifdown_local.conf.j2 | 4 +- .../rh_plug_port_eth_ifup_local.conf.j2 | 4 +- .../backend/agent/api_server/test_server.py | 57 ++++++------- .../backends/agent/api_server/test_plug.py | 22 +++-- ...add-nftables-support-c86a89c420f6a42a.yaml | 4 + zuul.d/jobs.yaml | 7 ++ zuul.d/projects.yaml | 3 + 13 files changed, 174 insertions(+), 62 deletions(-) create mode 100755 elements/amphora-agent/static/usr/local/bin/udp-masquerade.sh create mode 100644 releasenotes/notes/add-nftables-support-c86a89c420f6a42a.yaml diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 435a0f367e..c2ce70f2a0 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -64,6 +64,11 @@ function build_octavia_worker_image { export DIB_LOCAL_ELEMENTS=$DIB_LOCAL_ELEMENTS fi + # Pull in the option to install nftables in the amphora + if [ -n "$DIB_OCTAVIA_AMP_USE_NFTABLES" ]; then + export DIB_OCTAVIA_AMP_USE_NFTABLES=$DIB_OCTAVIA_AMP_USE_NFTABLES + fi + # pull the agent code from the current code zuul has a reference to if [ -n "$DIB_REPOLOCATION_pip_and_virtualenv" ]; then export DIB_REPOLOCATION_pip_and_virtualenv=$DIB_REPOLOCATION_pip_and_virtualenv @@ -463,18 +468,35 @@ function create_mgmt_network_interface { die "Unknown network controller. Please define octavia_create_network_interface_device" fi sudo ip link set dev o-hm0 address $MGMT_PORT_MAC - if [ $SERVICE_IP_VERSION == '6' ] ; then - # Allow the required IPv6 ICMP messages - sudo ip6tables -I INPUT -i o-hm0 -p ipv6-icmp -j ACCEPT - sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT - sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT - sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT + + # Check if the host is using nftables, an alternative to iptables + if [ -x "$(sudo bash -c 'command -v nft')" ]; then + sudo nft add table inet octavia + sudo nft add chain inet octavia o-hm0-incoming { type filter hook input priority 0\;} + sudo nft flush chain inet octavia o-hm0-incoming + # Note: Order is important here and using counter here as this is + # devstack for testing. + sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" counter log drop + sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" meta l4proto ipv6-icmp counter accept + sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" udp dport $OCTAVIA_HM_LISTEN_PORT counter accept + sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" udp dport $OCTAVIA_AMP_LOG_ADMIN_PORT counter accept + sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" udp dport $OCTAVIA_AMP_LOG_TENANT_PORT counter accept + sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" ct state related,established accept else - sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT - sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT - sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT + if [ $SERVICE_IP_VERSION == '6' ] ; then + # Allow the required IPv6 ICMP messages + sudo ip6tables -I INPUT -i o-hm0 -p ipv6-icmp -j ACCEPT + sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT + sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT + sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT + else + sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT + sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT + sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT + fi fi + if [ $OCTAVIA_CONTROLLER_IP_PORT_LIST == 'auto' ] ; then iniset $OCTAVIA_CONF health_manager controller_ip_port_list $MGMT_PORT_IP:$OCTAVIA_HM_LISTEN_PORT else diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 2c70165b1d..d052759dfb 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -289,6 +289,9 @@ else export ELEMENTS_PATH=$OCTAVIA_ELEMENTS_PATH fi +# Make sure we have a value set for DIB_OCTAVIA_AMP_USE_NFTABLES +export DIB_OCTAVIA_AMP_USE_NFTABLES=${DIB_OCTAVIA_AMP_USE_NFTABLES:-False} + export CLOUD_INIT_DATASOURCES=${CLOUD_INIT_DATASOURCES:-"ConfigDrive"} # Additional RHEL environment checks diff --git a/elements/amphora-agent/package-installs.yaml b/elements/amphora-agent/package-installs.yaml index 2dc614d82c..d122486326 100644 --- a/elements/amphora-agent/package-installs.yaml +++ b/elements/amphora-agent/package-installs.yaml @@ -59,3 +59,6 @@ ureadahead: uuid-runtime: vim-tiny: vlan: + +nftables: + when: DIB_OCTAVIA_AMP_USE_NFTABLES = True diff --git a/elements/amphora-agent/static/usr/local/bin/udp-masquerade.sh b/elements/amphora-agent/static/usr/local/bin/udp-masquerade.sh new file mode 100755 index 0000000000..1368b84e76 --- /dev/null +++ b/elements/amphora-agent/static/usr/local/bin/udp-masquerade.sh @@ -0,0 +1,81 @@ +#!/bin/bash +# +# Copyright 2020 Red Hat, Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +set -e + +usage() { + echo + echo "Usage: $(basename "$0") [add|delete] [ipv4|ipv6] " + echo + exit 1 +} + +if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then + usage +fi + +if [ "$1" == "add" ]; then + + if [ -x "$(sudo bash -c 'command -v nft')" ]; then + # Note: inet for nat requires a 5.2 or newer kernel. + if [ "$2" == "ipv4" ]; then + nft add table ip octavia-ipv4 + nft add chain ip octavia-ipv4 ip-udp-masq { type nat hook postrouting priority 100\;} + nft add rule ip octavia-ipv4 ip-udp-masq oifname "$3" meta l4proto udp masquerade + elif [ "$2" == "ipv6" ]; then + nft add table ip6 octavia-ipv6 + nft add chain ip6 octavia-ipv6 ip6-udp-masq { type nat hook postrouting priority 100\;} + nft add rule ip6 octavia-ipv6 ip6-udp-masq oifname "$3" meta l4proto udp masquerade + else + usage + fi + + else # nft not found, fall back to iptables + if [ "$2" == "ipv4" ]; then + /sbin/iptables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE + elif [ "$2" == "ipv6" ]; then + /sbin/ip6tables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE + else + usage + fi + fi + +elif [ "$1" == "delete" ]; then + + if [ -x "$(sudo bash -c 'command -v nft')" ]; then + if [ "$2" == "ipv4" ]; then + nft flush chain ip octavia-ipv4 ip-udp-masq + nft delete chain ip octavia-ipv4 ip-udp-masq + elif [ "$2" == "ipv6" ]; then + nft flush chain ip6 octavia-ipv6 ip-udp-masq + nft delete chain ip6 octavia-ipv6 ip-udp-masq + else + usage + fi + + else # nft not found, fall back to iptables + if [ "$2" == "ipv4" ]; then + /sbin/iptables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE + elif [ "$2" == "ipv6" ]; then + /sbin/ip6tables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE + else + usage + fi + fi +else + usage +fi diff --git a/octavia/amphorae/backends/agent/api_server/templates/plug_port_ethX.conf.j2 b/octavia/amphorae/backends/agent/api_server/templates/plug_port_ethX.conf.j2 index 2fa05253b7..f70d4aae77 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/plug_port_ethX.conf.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/plug_port_ethX.conf.j2 @@ -33,8 +33,8 @@ up route add -net {{ hr.network }} gw {{ hr.gw }} dev {{ interface }} down route del -net {{ hr.network }} gw {{ hr.gw }} dev {{ interface }} {%- endif %} {%- endfor %} -post-up /sbin/ip{{ '6' if ipv6 }}tables -t nat -A POSTROUTING -p udp -o {{ interface }} -j MASQUERADE -post-down /sbin/ip{{ '6' if ipv6 }}tables -t nat -D POSTROUTING -p udp -o {{ interface }} -j MASQUERADE +post-up /usr/local/bin/udp-masquerade.sh add {{ 'ipv6' if ipv6 else 'ipv4' }} {{ interface }} +post-down /usr/local/bin/udp-masquerade.sh delete {{ 'ipv6' if ipv6 else 'ipv4' }} {{ interface }} {%- else %} iface {{ interface }} inet dhcp auto {{ interface }}:0 diff --git a/octavia/amphorae/backends/agent/api_server/templates/plug_vip_ethX.conf.j2 b/octavia/amphorae/backends/agent/api_server/templates/plug_vip_ethX.conf.j2 index 12824aa7ec..a6111eba30 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/plug_vip_ethX.conf.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/plug_vip_ethX.conf.j2 @@ -78,5 +78,5 @@ post-up /sbin/ip {{ '-6 ' if vip_ipv6 }}rule add from {{ vip }}/{{ '128' if vip_ post-down /sbin/ip {{ '-6 ' if vip_ipv6 }}rule del from {{ vip }}/{{ '128' if vip_ipv6 else '32' }} table 1 priority 100 {%- endif %} -post-up /sbin/ip{{ '6' if vip_ipv6 }}tables -t nat -A POSTROUTING -p udp -o {{ interface }} -j MASQUERADE -post-down /sbin/ip{{ '6' if vip_ipv6 }}tables -t nat -D POSTROUTING -p udp -o {{ interface }} -j MASQUERADE +post-up /usr/local/bin/udp-masquerade.sh add {{ 'ipv6' if vip_ipv6 else 'ipv4' }} {{ interface }} +post-down /usr/local/bin/udp-masquerade.sh delete {{ 'ipv6' if vip_ipv6 else 'ipv4' }} {{ interface }} diff --git a/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifdown_local.conf.j2 b/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifdown_local.conf.j2 index f1bea6067a..48e30ee5e7 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifdown_local.conf.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifdown_local.conf.j2 @@ -14,6 +14,6 @@ #!/bin/bash if [[ "$1" != "lo" ]] then - /sbin/iptables -t nat -D POSTROUTING -o $1 -p udp -j MASQUERADE - /sbin/ip6tables -t nat -D POSTROUTING -o $1 -p udp -j MASQUERADE + /usr/local/bin/udp-masquerade.sh delete ipv4 $1 + /usr/local/bin/udp-masquerade.sh delete ipv6 $1 fi diff --git a/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifup_local.conf.j2 b/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifup_local.conf.j2 index cb364f8209..1311f50216 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifup_local.conf.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifup_local.conf.j2 @@ -14,6 +14,6 @@ #!/bin/bash if [[ "$1" != "lo" ]] then - /sbin/iptables -t nat -A POSTROUTING -o $1 -p udp -j MASQUERADE - /sbin/ip6tables -t nat -A POSTROUTING -o $1 -p udp -j MASQUERADE + /usr/local/bin/udp-masquerade.sh add ipv4 $1 + /usr/local/bin/udp-masquerade.sh add ipv6 $1 fi diff --git a/octavia/tests/functional/amphorae/backend/agent/api_server/test_server.py b/octavia/tests/functional/amphorae/backend/agent/api_server/test_server.py index 235917d5a9..932c65750d 100644 --- a/octavia/tests/functional/amphorae/backend/agent/api_server/test_server.py +++ b/octavia/tests/functional/amphorae/backend/agent/api_server/test_server.py @@ -1178,10 +1178,10 @@ class TestServerTestCase(base.TestCase): 'address 10.0.0.5\nbroadcast 10.0.0.255\n' 'netmask 255.255.255.0\n' 'mtu 1450\n' - 'post-up /sbin/iptables -t nat -A POSTROUTING -p udp ' - '-o eth{int} -j MASQUERADE\n' - 'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' - '-o eth{int} -j MASQUERADE\n'.format(int=test_int_num)) + 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 ' + 'eth{int}\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 ' + 'eth{int}\n'.format(int=test_int_num)) elif distro == consts.CENTOS: handle.write.assert_any_call( '\n\n# Generated by Octavia agent\n' @@ -1253,10 +1253,10 @@ class TestServerTestCase(base.TestCase): 'address 2001:0db8:0000:0000:0000:0000:0000:0002\n' 'broadcast 2001:0db8:ffff:ffff:ffff:ffff:ffff:ffff\n' 'netmask 32\nmtu 1450\n' - 'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp ' - '-o eth{int} -j MASQUERADE\n' - 'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp ' - '-o eth{int} -j MASQUERADE\n'.format(int=test_int_num)) + 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 ' + 'eth{int}\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 ' + 'eth{int}\n'.format(int=test_int_num)) elif distro == consts.CENTOS: handle.write.assert_any_call( '\n\n# Generated by Octavia agent\n' @@ -1441,11 +1441,10 @@ class TestServerTestCase(base.TestCase): ' dev ' + consts.NETNS_PRIMARY_INTERFACE + '\n' 'down route del -host ' + DEST2 + ' gw ' + NEXTHOP + ' dev ' + consts.NETNS_PRIMARY_INTERFACE + '\n' + - 'post-up /sbin/iptables -t nat -A POSTROUTING -p udp -o ' + - consts.NETNS_PRIMARY_INTERFACE + ' -j MASQUERADE' + '\n' + - 'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' - '-o ' + consts.NETNS_PRIMARY_INTERFACE + - ' -j MASQUERADE' + '\n') + 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 ' + + consts.NETNS_PRIMARY_INTERFACE + '\n' + + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 ' + + consts.NETNS_PRIMARY_INTERFACE + '\n') elif distro == consts.CENTOS: handle.write.assert_any_call( '\n\n# Generated by Octavia agent\n' @@ -1702,11 +1701,9 @@ class TestServerTestCase(base.TestCase): 'priority 100\n' 'post-down /sbin/ip rule del from 203.0.113.2/32 table 1 ' 'priority 100\n\n' - 'post-up /sbin/iptables -t nat -A POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE\n' - 'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE'.format( - netns_int=consts.NETNS_PRIMARY_INTERFACE)) + 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 eth1\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 ' + 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE)) elif distro == consts.CENTOS: handle.write.assert_any_call( '\n# Generated by Octavia agent\n' @@ -1809,11 +1806,9 @@ class TestServerTestCase(base.TestCase): 'priority 100\n' 'post-down /sbin/ip rule del from 203.0.113.2/32 table 1 ' 'priority 100\n\n' - 'post-up /sbin/iptables -t nat -A POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE\n' - 'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE'.format( - netns_int=consts.NETNS_PRIMARY_INTERFACE)) + 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 eth1\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 ' + 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE)) elif distro == consts.CENTOS: handle.write.assert_any_call( '\n# Generated by Octavia agent\n' @@ -2061,11 +2056,9 @@ class TestServerTestCase(base.TestCase): 'post-down /sbin/ip -6 rule del from ' '2001:0db8:0000:0000:0000:0000:0000:0002/128 table 1 ' 'priority 100\n\n' - 'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE\n' - 'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE'.format( - netns_int=consts.NETNS_PRIMARY_INTERFACE)) + 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 eth1\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 ' + 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE)) elif distro == consts.CENTOS: handle.write.assert_any_call( '\n# Generated by Octavia agent\n' @@ -2168,11 +2161,9 @@ class TestServerTestCase(base.TestCase): 'post-down /sbin/ip -6 rule del from ' '2001:0db8:0000:0000:0000:0000:0000:0002/128 table 1 ' 'priority 100\n\n' - 'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE\n' - 'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp ' - '-o eth1 -j MASQUERADE'.format( - netns_int=consts.NETNS_PRIMARY_INTERFACE)) + 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 eth1\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 ' + 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE)) elif distro == consts.CENTOS: handle.write.assert_any_call( '\n# Generated by Octavia agent\n' diff --git a/octavia/tests/unit/amphorae/backends/agent/api_server/test_plug.py b/octavia/tests/unit/amphorae/backends/agent/api_server/test_plug.py index 50812fb7cc..3193e273d7 100644 --- a/octavia/tests/unit/amphorae/backends/agent/api_server/test_plug.py +++ b/octavia/tests/unit/amphorae/backends/agent/api_server/test_plug.py @@ -241,10 +241,8 @@ class TestPlugNetwork(base.TestCase): 'down route del -net {dest1} gw {nexthop} dev {netns_interface}\n' 'up route add -net {dest2} gw {nexthop} dev {netns_interface}\n' 'down route del -net {dest2} gw {nexthop} dev {netns_interface}\n' - 'post-up /sbin/iptables -t nat -A POSTROUTING -p udp -o ' - 'eth1234 -j MASQUERADE\n' - 'post-down /sbin/iptables -t nat -D POSTROUTING -p udp -o eth1234 ' - '-j MASQUERADE\n') + 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 eth1234\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 eth1234\n') template_port = osutils.j2_env.get_template('plug_port_ethX.conf.j2') text = self.test_plug._osutils._generate_network_file_text( @@ -295,10 +293,10 @@ class TestPlugNetwork(base.TestCase): 'down route del -net {dest1} gw {nexthop} dev {netns_interface}\n' 'up route add -net {dest2} gw {nexthop} dev {netns_interface}\n' 'down route del -net {dest2} gw {nexthop} dev {netns_interface}\n' - 'post-up /sbin/iptables -t nat -A POSTROUTING -p udp -o ' - '{netns_interface} -j MASQUERADE\n' - 'post-down /sbin/iptables -t nat -D POSTROUTING -p udp -o ' - '{netns_interface} -j MASQUERADE\n' + 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 ' + '{netns_interface}\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 ' + '{netns_interface}\n' '\n\n# Generated by Octavia agent\n' 'auto {netns_interface}\n' 'iface {netns_interface} inet6 static\n' @@ -306,10 +304,10 @@ class TestPlugNetwork(base.TestCase): 'broadcast {broadcast_ipv6}\n' 'netmask {netmask_ipv6}\n' 'mtu {mtu}\n' - 'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp -o ' - '{netns_interface} -j MASQUERADE\n' - 'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp -o ' - '{netns_interface} -j MASQUERADE\n') + 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 ' + '{netns_interface}\n' + 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 ' + '{netns_interface}\n') template_port = osutils.j2_env.get_template('plug_port_ethX.conf.j2') text = self.test_plug._osutils._generate_network_file_text( diff --git a/releasenotes/notes/add-nftables-support-c86a89c420f6a42a.yaml b/releasenotes/notes/add-nftables-support-c86a89c420f6a42a.yaml new file mode 100644 index 0000000000..34a3ebfeda --- /dev/null +++ b/releasenotes/notes/add-nftables-support-c86a89c420f6a42a.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Added support for nftables to the devstack plugin and the amphora. diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index d0523d6fbb..9e67e5c931 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -164,3 +164,10 @@ vars: amphora_os: centos amphora_os_release: 8 + +- job: + name: octavia-v2-dsvm-scenario-nftables + parent: octavia-v2-dsvm-scenario + vars: + devstack_localrc: + OCTAVIA_AMP_USE_NFTABLES: True diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index 9cf56b92e5..3cc238feb4 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -90,3 +90,6 @@ branches: ^(?!stable/.*).*$ - octavia-amphora-image-build - octavia-grenade-ffu + experimental: + jobs: + - octavia-v2-dsvm-scenario-nftables