openstack/octavia
Code Issues Proposed changes

Merge "Add support for nftables"

Browse Source
This commit is contained in:
Zuul 2020-09-10 18:29:38 +00:00 committed by Gerrit Code Review
commit 87e55d6350
13 changed files with 174 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
devstack/plugin.sh
View File

@ -66,6 +66,11 @@ function build_octavia_worker_image {
export DIB_LOCAL_ELEMENTS=$DIB_LOCAL_ELEMENTS export DIB_LOCAL_ELEMENTS=$DIB_LOCAL_ELEMENTS
fi fi
# Pull in the option to install nftables in the amphora
if [ -n "$DIB_OCTAVIA_AMP_USE_NFTABLES" ]; then
export DIB_OCTAVIA_AMP_USE_NFTABLES=$DIB_OCTAVIA_AMP_USE_NFTABLES
fi
# pull the agent code from the current code zuul has a reference to # pull the agent code from the current code zuul has a reference to
if [ -n "$DIB_REPOLOCATION_pip_and_virtualenv" ]; then if [ -n "$DIB_REPOLOCATION_pip_and_virtualenv" ]; then
export DIB_REPOLOCATION_pip_and_virtualenv=$DIB_REPOLOCATION_pip_and_virtualenv export DIB_REPOLOCATION_pip_and_virtualenv=$DIB_REPOLOCATION_pip_and_virtualenv
@ -466,18 +471,35 @@ function create_mgmt_network_interface {
die "Unknown network controller. Please define octavia_create_network_interface_device" die "Unknown network controller. Please define octavia_create_network_interface_device"
fi fi
sudo ip link set dev o-hm0 address $MGMT_PORT_MAC sudo ip link set dev o-hm0 address $MGMT_PORT_MAC
if [ $SERVICE_IP_VERSION == '6' ] ; then
# Allow the required IPv6 ICMP messages # Check if the host is using nftables, an alternative to iptables
sudo ip6tables -I INPUT -i o-hm0 -p ipv6-icmp -j ACCEPT if [ -x "$(sudo bash -c 'command -v nft')" ]; then
sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT sudo nft add table inet octavia
sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT sudo nft add chain inet octavia o-hm0-incoming { type filter hook input priority 0\;}
sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT sudo nft flush chain inet octavia o-hm0-incoming
# Note: Order is important here and using counter here as this is
# devstack for testing.
sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" counter log drop
sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" meta l4proto ipv6-icmp counter accept
sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" udp dport $OCTAVIA_HM_LISTEN_PORT counter accept
sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" udp dport $OCTAVIA_AMP_LOG_ADMIN_PORT counter accept
sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" udp dport $OCTAVIA_AMP_LOG_TENANT_PORT counter accept
sudo nft insert rule inet octavia o-hm0-incoming iifname "o-hm0" ct state related,established accept
else else
sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT if [ $SERVICE_IP_VERSION == '6' ] ; then
sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT # Allow the required IPv6 ICMP messages
sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT sudo ip6tables -I INPUT -i o-hm0 -p ipv6-icmp -j ACCEPT
sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT
sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT
sudo ip6tables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT
else
sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_HM_LISTEN_PORT -j ACCEPT
sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_ADMIN_PORT -j ACCEPT
sudo iptables -I INPUT -i o-hm0 -p udp --dport $OCTAVIA_AMP_LOG_TENANT_PORT -j ACCEPT
fi
fi fi
if [ $OCTAVIA_CONTROLLER_IP_PORT_LIST == 'auto' ] ; then if [ $OCTAVIA_CONTROLLER_IP_PORT_LIST == 'auto' ] ; then
iniset $OCTAVIA_CONF health_manager controller_ip_port_list $MGMT_PORT_IP:$OCTAVIA_HM_LISTEN_PORT iniset $OCTAVIA_CONF health_manager controller_ip_port_list $MGMT_PORT_IP:$OCTAVIA_HM_LISTEN_PORT
else else

3
diskimage-create/diskimage-create.sh
View File

@ -289,6 +289,9 @@ else
export ELEMENTS_PATH=$OCTAVIA_ELEMENTS_PATH export ELEMENTS_PATH=$OCTAVIA_ELEMENTS_PATH
fi fi
# Make sure we have a value set for DIB_OCTAVIA_AMP_USE_NFTABLES
export DIB_OCTAVIA_AMP_USE_NFTABLES=${DIB_OCTAVIA_AMP_USE_NFTABLES:-False}
export CLOUD_INIT_DATASOURCES=${CLOUD_INIT_DATASOURCES:-"ConfigDrive"} export CLOUD_INIT_DATASOURCES=${CLOUD_INIT_DATASOURCES:-"ConfigDrive"}
# Additional RHEL environment checks # Additional RHEL environment checks

3
elements/amphora-agent/package-installs.yaml
View File

@ -59,3 +59,6 @@ ureadahead:
uuid-runtime: uuid-runtime:
vim-tiny: vim-tiny:
vlan: vlan:
nftables:
when: DIB_OCTAVIA_AMP_USE_NFTABLES = True

81
elements/amphora-agent/static/usr/local/bin/udp-masquerade.sh Executable file
View File

@ -0,0 +1,81 @@
#!/bin/bash
#
# Copyright 2020 Red Hat, Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
set -e
usage() {
echo
echo "Usage: $(basename "$0") [add|delete] [ipv4|ipv6] <interface>"
echo
exit 1
}
if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
usage
fi
if [ "$1" == "add" ]; then
if [ -x "$(sudo bash -c 'command -v nft')" ]; then
# Note: inet for nat requires a 5.2 or newer kernel.
if [ "$2" == "ipv4" ]; then
nft add table ip octavia-ipv4
nft add chain ip octavia-ipv4 ip-udp-masq { type nat hook postrouting priority 100\;}
nft add rule ip octavia-ipv4 ip-udp-masq oifname "$3" meta l4proto udp masquerade
elif [ "$2" == "ipv6" ]; then
nft add table ip6 octavia-ipv6
nft add chain ip6 octavia-ipv6 ip6-udp-masq { type nat hook postrouting priority 100\;}
nft add rule ip6 octavia-ipv6 ip6-udp-masq oifname "$3" meta l4proto udp masquerade
else
usage
fi
else # nft not found, fall back to iptables
if [ "$2" == "ipv4" ]; then
/sbin/iptables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
elif [ "$2" == "ipv6" ]; then
/sbin/ip6tables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
else
usage
fi
fi
elif [ "$1" == "delete" ]; then
if [ -x "$(sudo bash -c 'command -v nft')" ]; then
if [ "$2" == "ipv4" ]; then
nft flush chain ip octavia-ipv4 ip-udp-masq
nft delete chain ip octavia-ipv4 ip-udp-masq
elif [ "$2" == "ipv6" ]; then
nft flush chain ip6 octavia-ipv6 ip-udp-masq
nft delete chain ip6 octavia-ipv6 ip-udp-masq
else
usage
fi
else # nft not found, fall back to iptables
if [ "$2" == "ipv4" ]; then
/sbin/iptables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
elif [ "$2" == "ipv6" ]; then
/sbin/ip6tables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
else
usage
fi
fi
else
usage
fi

4
octavia/amphorae/backends/agent/api_server/templates/plug_port_ethX.conf.j2
View File

@ -33,8 +33,8 @@ up route add -net {{ hr.network }} gw {{ hr.gw }} dev {{ interface }}
down route del -net {{ hr.network }} gw {{ hr.gw }} dev {{ interface }} down route del -net {{ hr.network }} gw {{ hr.gw }} dev {{ interface }}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}
post-up /sbin/ip{{ '6' if ipv6 }}tables -t nat -A POSTROUTING -p udp -o {{ interface }} -j MASQUERADE post-up /usr/local/bin/udp-masquerade.sh add {{ 'ipv6' if ipv6 else 'ipv4' }} {{ interface }}
post-down /sbin/ip{{ '6' if ipv6 }}tables -t nat -D POSTROUTING -p udp -o {{ interface }} -j MASQUERADE post-down /usr/local/bin/udp-masquerade.sh delete {{ 'ipv6' if ipv6 else 'ipv4' }} {{ interface }}
{%- else %} {%- else %}
iface {{ interface }} inet dhcp iface {{ interface }} inet dhcp
auto {{ interface }}:0 auto {{ interface }}:0

4
octavia/amphorae/backends/agent/api_server/templates/plug_vip_ethX.conf.j2
View File

@ -78,5 +78,5 @@ post-up /sbin/ip {{ '-6 ' if vip_ipv6 }}rule add from {{ vip }}/{{ '128' if vip_
post-down /sbin/ip {{ '-6 ' if vip_ipv6 }}rule del from {{ vip }}/{{ '128' if vip_ipv6 else '32' }} table 1 priority 100 post-down /sbin/ip {{ '-6 ' if vip_ipv6 }}rule del from {{ vip }}/{{ '128' if vip_ipv6 else '32' }} table 1 priority 100
{%- endif %} {%- endif %}
post-up /sbin/ip{{ '6' if vip_ipv6 }}tables -t nat -A POSTROUTING -p udp -o {{ interface }} -j MASQUERADE post-up /usr/local/bin/udp-masquerade.sh add {{ 'ipv6' if vip_ipv6 else 'ipv4' }} {{ interface }}
post-down /sbin/ip{{ '6' if vip_ipv6 }}tables -t nat -D POSTROUTING -p udp -o {{ interface }} -j MASQUERADE post-down /usr/local/bin/udp-masquerade.sh delete {{ 'ipv6' if vip_ipv6 else 'ipv4' }} {{ interface }}

4
octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifdown_local.conf.j2
View File

@ -14,6 +14,6 @@
#!/bin/bash #!/bin/bash
if [[ "$1" != "lo" ]] if [[ "$1" != "lo" ]]
then then
/sbin/iptables -t nat -D POSTROUTING -o $1 -p udp -j MASQUERADE /usr/local/bin/udp-masquerade.sh delete ipv4 $1
/sbin/ip6tables -t nat -D POSTROUTING -o $1 -p udp -j MASQUERADE /usr/local/bin/udp-masquerade.sh delete ipv6 $1
fi fi

4
octavia/amphorae/backends/agent/api_server/templates/rh_plug_port_eth_ifup_local.conf.j2
View File

@ -14,6 +14,6 @@
#!/bin/bash #!/bin/bash
if [[ "$1" != "lo" ]] if [[ "$1" != "lo" ]]
then then
/sbin/iptables -t nat -A POSTROUTING -o $1 -p udp -j MASQUERADE /usr/local/bin/udp-masquerade.sh add ipv4 $1
/sbin/ip6tables -t nat -A POSTROUTING -o $1 -p udp -j MASQUERADE /usr/local/bin/udp-masquerade.sh add ipv6 $1
fi fi

57
octavia/tests/functional/amphorae/backend/agent/api_server/test_server.py
View File

@ -1178,10 +1178,10 @@ class TestServerTestCase(base.TestCase):
'address 10.0.0.5\nbroadcast 10.0.0.255\n' 'address 10.0.0.5\nbroadcast 10.0.0.255\n'
'netmask 255.255.255.0\n' 'netmask 255.255.255.0\n'
'mtu 1450\n' 'mtu 1450\n'
'post-up /sbin/iptables -t nat -A POSTROUTING -p udp ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 '
'-o eth{int} -j MASQUERADE\n' 'eth{int}\n'
'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 '
'-o eth{int} -j MASQUERADE\n'.format(int=test_int_num)) 'eth{int}\n'.format(int=test_int_num))
elif distro == consts.CENTOS: elif distro == consts.CENTOS:
handle.write.assert_any_call( handle.write.assert_any_call(
'\n\n# Generated by Octavia agent\n' '\n\n# Generated by Octavia agent\n'
@ -1253,10 +1253,10 @@ class TestServerTestCase(base.TestCase):
'address 2001:0db8:0000:0000:0000:0000:0000:0002\n' 'address 2001:0db8:0000:0000:0000:0000:0000:0002\n'
'broadcast 2001:0db8:ffff:ffff:ffff:ffff:ffff:ffff\n' 'broadcast 2001:0db8:ffff:ffff:ffff:ffff:ffff:ffff\n'
'netmask 32\nmtu 1450\n' 'netmask 32\nmtu 1450\n'
'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 '
'-o eth{int} -j MASQUERADE\n' 'eth{int}\n'
'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp ' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 '
'-o eth{int} -j MASQUERADE\n'.format(int=test_int_num)) 'eth{int}\n'.format(int=test_int_num))
elif distro == consts.CENTOS: elif distro == consts.CENTOS:
handle.write.assert_any_call( handle.write.assert_any_call(
'\n\n# Generated by Octavia agent\n' '\n\n# Generated by Octavia agent\n'
@ -1441,11 +1441,10 @@ class TestServerTestCase(base.TestCase):
' dev ' + consts.NETNS_PRIMARY_INTERFACE + '\n' ' dev ' + consts.NETNS_PRIMARY_INTERFACE + '\n'
'down route del -host ' + DEST2 + ' gw ' + NEXTHOP + 'down route del -host ' + DEST2 + ' gw ' + NEXTHOP +
' dev ' + consts.NETNS_PRIMARY_INTERFACE + '\n' + ' dev ' + consts.NETNS_PRIMARY_INTERFACE + '\n' +
'post-up /sbin/iptables -t nat -A POSTROUTING -p udp -o ' + 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 ' +
consts.NETNS_PRIMARY_INTERFACE + ' -j MASQUERADE' + '\n' + consts.NETNS_PRIMARY_INTERFACE + '\n' +
'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 ' +
'-o ' + consts.NETNS_PRIMARY_INTERFACE + consts.NETNS_PRIMARY_INTERFACE + '\n')
' -j MASQUERADE' + '\n')
elif distro == consts.CENTOS: elif distro == consts.CENTOS:
handle.write.assert_any_call( handle.write.assert_any_call(
'\n\n# Generated by Octavia agent\n' '\n\n# Generated by Octavia agent\n'
@ -1702,11 +1701,9 @@ class TestServerTestCase(base.TestCase):
'priority 100\n' 'priority 100\n'
'post-down /sbin/ip rule del from 203.0.113.2/32 table 1 ' 'post-down /sbin/ip rule del from 203.0.113.2/32 table 1 '
'priority 100\n\n' 'priority 100\n\n'
'post-up /sbin/iptables -t nat -A POSTROUTING -p udp ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 eth1\n'
'-o eth1 -j MASQUERADE\n' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 '
'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE))
'-o eth1 -j MASQUERADE'.format(
netns_int=consts.NETNS_PRIMARY_INTERFACE))
elif distro == consts.CENTOS: elif distro == consts.CENTOS:
handle.write.assert_any_call( handle.write.assert_any_call(
'\n# Generated by Octavia agent\n' '\n# Generated by Octavia agent\n'
@ -1809,11 +1806,9 @@ class TestServerTestCase(base.TestCase):
'priority 100\n' 'priority 100\n'
'post-down /sbin/ip rule del from 203.0.113.2/32 table 1 ' 'post-down /sbin/ip rule del from 203.0.113.2/32 table 1 '
'priority 100\n\n' 'priority 100\n\n'
'post-up /sbin/iptables -t nat -A POSTROUTING -p udp ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 eth1\n'
'-o eth1 -j MASQUERADE\n' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 '
'post-down /sbin/iptables -t nat -D POSTROUTING -p udp ' 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE))
'-o eth1 -j MASQUERADE'.format(
netns_int=consts.NETNS_PRIMARY_INTERFACE))
elif distro == consts.CENTOS: elif distro == consts.CENTOS:
handle.write.assert_any_call( handle.write.assert_any_call(
'\n# Generated by Octavia agent\n' '\n# Generated by Octavia agent\n'
@ -2061,11 +2056,9 @@ class TestServerTestCase(base.TestCase):
'post-down /sbin/ip -6 rule del from ' 'post-down /sbin/ip -6 rule del from '
'2001:0db8:0000:0000:0000:0000:0000:0002/128 table 1 ' '2001:0db8:0000:0000:0000:0000:0000:0002/128 table 1 '
'priority 100\n\n' 'priority 100\n\n'
'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 eth1\n'
'-o eth1 -j MASQUERADE\n' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 '
'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp ' 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE))
'-o eth1 -j MASQUERADE'.format(
netns_int=consts.NETNS_PRIMARY_INTERFACE))
elif distro == consts.CENTOS: elif distro == consts.CENTOS:
handle.write.assert_any_call( handle.write.assert_any_call(
'\n# Generated by Octavia agent\n' '\n# Generated by Octavia agent\n'
@ -2168,11 +2161,9 @@ class TestServerTestCase(base.TestCase):
'post-down /sbin/ip -6 rule del from ' 'post-down /sbin/ip -6 rule del from '
'2001:0db8:0000:0000:0000:0000:0000:0002/128 table 1 ' '2001:0db8:0000:0000:0000:0000:0000:0002/128 table 1 '
'priority 100\n\n' 'priority 100\n\n'
'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 eth1\n'
'-o eth1 -j MASQUERADE\n' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 '
'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp ' 'eth1'.format(netns_int=consts.NETNS_PRIMARY_INTERFACE))
'-o eth1 -j MASQUERADE'.format(
netns_int=consts.NETNS_PRIMARY_INTERFACE))
elif distro == consts.CENTOS: elif distro == consts.CENTOS:
handle.write.assert_any_call( handle.write.assert_any_call(
'\n# Generated by Octavia agent\n' '\n# Generated by Octavia agent\n'

22
octavia/tests/unit/amphorae/backends/agent/api_server/test_plug.py
View File

@ -241,10 +241,8 @@ class TestPlugNetwork(base.TestCase):
'down route del -net {dest1} gw {nexthop} dev {netns_interface}\n' 'down route del -net {dest1} gw {nexthop} dev {netns_interface}\n'
'up route add -net {dest2} gw {nexthop} dev {netns_interface}\n' 'up route add -net {dest2} gw {nexthop} dev {netns_interface}\n'
'down route del -net {dest2} gw {nexthop} dev {netns_interface}\n' 'down route del -net {dest2} gw {nexthop} dev {netns_interface}\n'
'post-up /sbin/iptables -t nat -A POSTROUTING -p udp -o ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 eth1234\n'
'eth1234 -j MASQUERADE\n' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 eth1234\n')
'post-down /sbin/iptables -t nat -D POSTROUTING -p udp -o eth1234 '
'-j MASQUERADE\n')
template_port = osutils.j2_env.get_template('plug_port_ethX.conf.j2') template_port = osutils.j2_env.get_template('plug_port_ethX.conf.j2')
text = self.test_plug._osutils._generate_network_file_text( text = self.test_plug._osutils._generate_network_file_text(
@ -295,10 +293,10 @@ class TestPlugNetwork(base.TestCase):
'down route del -net {dest1} gw {nexthop} dev {netns_interface}\n' 'down route del -net {dest1} gw {nexthop} dev {netns_interface}\n'
'up route add -net {dest2} gw {nexthop} dev {netns_interface}\n' 'up route add -net {dest2} gw {nexthop} dev {netns_interface}\n'
'down route del -net {dest2} gw {nexthop} dev {netns_interface}\n' 'down route del -net {dest2} gw {nexthop} dev {netns_interface}\n'
'post-up /sbin/iptables -t nat -A POSTROUTING -p udp -o ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv4 '
'{netns_interface} -j MASQUERADE\n' '{netns_interface}\n'
'post-down /sbin/iptables -t nat -D POSTROUTING -p udp -o ' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv4 '
'{netns_interface} -j MASQUERADE\n' '{netns_interface}\n'
'\n\n# Generated by Octavia agent\n' '\n\n# Generated by Octavia agent\n'
'auto {netns_interface}\n' 'auto {netns_interface}\n'
'iface {netns_interface} inet6 static\n' 'iface {netns_interface} inet6 static\n'
@ -306,10 +304,10 @@ class TestPlugNetwork(base.TestCase):
'broadcast {broadcast_ipv6}\n' 'broadcast {broadcast_ipv6}\n'
'netmask {netmask_ipv6}\n' 'netmask {netmask_ipv6}\n'
'mtu {mtu}\n' 'mtu {mtu}\n'
'post-up /sbin/ip6tables -t nat -A POSTROUTING -p udp -o ' 'post-up /usr/local/bin/udp-masquerade.sh add ipv6 '
'{netns_interface} -j MASQUERADE\n' '{netns_interface}\n'
'post-down /sbin/ip6tables -t nat -D POSTROUTING -p udp -o ' 'post-down /usr/local/bin/udp-masquerade.sh delete ipv6 '
'{netns_interface} -j MASQUERADE\n') '{netns_interface}\n')
template_port = osutils.j2_env.get_template('plug_port_ethX.conf.j2') template_port = osutils.j2_env.get_template('plug_port_ethX.conf.j2')
text = self.test_plug._osutils._generate_network_file_text( text = self.test_plug._osutils._generate_network_file_text(

4
releasenotes/notes/add-nftables-support-c86a89c420f6a42a.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- |
Added support for nftables to the devstack plugin and the amphora.

7
zuul.d/jobs.yaml
View File

@ -170,3 +170,10 @@
vars: vars:
amphora_os: centos amphora_os: centos
amphora_os_release: 8 amphora_os_release: 8
- job:
name: octavia-v2-dsvm-scenario-nftables
parent: octavia-v2-dsvm-scenario
vars:
devstack_localrc:
OCTAVIA_AMP_USE_NFTABLES: True

3
zuul.d/projects.yaml
View File

@ -90,3 +90,6 @@
branches: ^(?!stable/.*).*$ branches: ^(?!stable/.*).*$
- octavia-amphora-image-build - octavia-amphora-image-build
- octavia-grenade-ffu - octavia-grenade-ffu
experimental:
jobs:
- octavia-v2-dsvm-scenario-nftables