Add a config parameter to enable/disable iptables firewall implementation
Change-Id: I14b0fb11edd3d62d7e237cfad79b71a8bf86e855
This commit is contained in:
parent
6cb7bd09aa
commit
02f9c0cc38
@ -36,6 +36,10 @@ apic_opts = [
|
||||
help=("This will enable purging all the resources including "
|
||||
"the tenant once a keystone project.deleted "
|
||||
"notification is received.")),
|
||||
cfg.BoolOpt('enable_iptables_firewall',
|
||||
default=False,
|
||||
help=("This will enable the iptables firewall implementation "
|
||||
"on those compute nodes.")),
|
||||
]
|
||||
|
||||
|
||||
|
@ -197,6 +197,8 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
||||
apic_optimized_dhcp_lease_time)
|
||||
self.enable_keystone_notification_purge = (cfg.CONF.ml2_apic_aim.
|
||||
enable_keystone_notification_purge)
|
||||
self.enable_iptables_firewall = (cfg.CONF.ml2_apic_aim.
|
||||
enable_iptables_firewall)
|
||||
local_api.QUEUE_OUT_OF_PROCESS_NOTIFICATIONS = True
|
||||
self._setup_default_arp_security_group_rules()
|
||||
|
||||
@ -1700,10 +1702,13 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
||||
return True
|
||||
|
||||
def _complete_binding(self, context, segment):
|
||||
enable_firewall = False
|
||||
if self.enable_iptables_firewall:
|
||||
enable_firewall = self.sg_enabled
|
||||
context.set_binding(
|
||||
segment[api.ID], portbindings.VIF_TYPE_OVS,
|
||||
{portbindings.CAP_PORT_FILTER: False,
|
||||
portbindings.OVS_HYBRID_PLUG: False})
|
||||
{portbindings.CAP_PORT_FILTER: enable_firewall,
|
||||
portbindings.OVS_HYBRID_PLUG: enable_firewall})
|
||||
|
||||
@property
|
||||
def plugin(self):
|
||||
|
@ -3295,6 +3295,18 @@ class TestPortBinding(ApicAimTestCase):
|
||||
self.assertEqual({'port_filter': False, 'ovs_hybrid_plug': False},
|
||||
port['binding:vif_details'])
|
||||
|
||||
def test_bind_opflex_agent_with_firewall_enabled(self):
|
||||
self.driver.enable_iptables_firewall = True
|
||||
self._register_agent('host1', AGENT_CONF_OPFLEX)
|
||||
net = self._make_network(self.fmt, 'net1', True)
|
||||
self._make_subnet(self.fmt, net, '10.0.1.1', '10.0.1.0/24')
|
||||
port = self._make_port(self.fmt, net['network']['id'])['port']
|
||||
port_id = port['id']
|
||||
port = self._bind_port_to_host(port_id, 'host1')['port']
|
||||
self.assertEqual('ovs', port['binding:vif_type'])
|
||||
self.assertEqual({'port_filter': True, 'ovs_hybrid_plug': True},
|
||||
port['binding:vif_details'])
|
||||
|
||||
def test_bind_unsupported_vnic_type(self):
|
||||
net = self._make_network(self.fmt, 'net1', True)
|
||||
self._make_subnet(self.fmt, net, '10.0.1.1', '10.0.1.0/24')
|
||||
|
Loading…
Reference in New Issue
Block a user