diff --git a/gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py b/gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py index b11653edb..402b7cdbc 100644 --- a/gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py +++ b/gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py @@ -2791,10 +2791,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver, context, port, removed_sgs, is_delete=True) self._really_update_sg_rule_with_remote_group_set( context, port, added_sgs, is_delete=False) - self._really_update_sg_rule_with_remote_address_group_set( - context, port, removed_sgs, is_delete=True) - self._really_update_sg_rule_with_remote_address_group_set( - context, port, added_sgs, is_delete=False) def _really_update_sg_rule_with_remote_group_set( self, context, port, security_groups, is_delete): @@ -2844,51 +2840,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver, self.aim.update(aim_ctx, sg_rule_aim, remote_ips=aim_sg_rule.remote_ips) - def _really_update_sg_rule_with_remote_address_group_set( - self, context, port, security_groups, is_delete): - if not security_groups: - return - session = context._plugin_context.session - aim_ctx = aim_context.AimContext(session) - - query = BAKERY(lambda s: s.query( - sg_models.SecurityGroupRule, - ag_db.AddressGroup)) - query += lambda q: q.filter( - sg_models.SecurityGroupRule.remote_address_group_id == - ag_db.AddressGroup.id) - res = query(session).params( - security_groups=list(security_groups)).all() - sg_to_tenant = {} - for sg in res: - sg_rule = sg[0] - address_group = sg[1] - sg_id = sg_rule['security_group_id'] - if sg_id in sg_to_tenant: - tenant_id = sg_to_tenant[sg_id] - else: - tenant_id = self._get_sg_rule_tenant_id(session, sg_rule) - sg_to_tenant[sg_id] = tenant_id - tenant_aname = self.name_mapper.project(session, tenant_id) - sg_rule_aim = aim_resource.SecurityGroupRule( - tenant_name=tenant_aname, - security_group_name=sg_rule['security_group_id'], - security_group_subject_name='default', - name=sg_rule['id']) - aim_sg_rule = self.aim.get(aim_ctx, sg_rule_aim) - if not aim_sg_rule: - continue - for ag_address in address_group['addresses']: - address = str(ag_address.address) - if is_delete: - if address in aim_sg_rule.remote_ips: - aim_sg_rule.remote_ips.remove(address) - else: - if address not in aim_sg_rule.remote_ips: - aim_sg_rule.remote_ips.append(address) - self.aim.update(aim_ctx, sg_rule_aim, - remote_ips=aim_sg_rule.remote_ips) - def _check_active_active_aap(self, context, port): aap_current = port.get('allowed_address_pairs', []) aap_original = [] @@ -3136,8 +3087,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver, self._check_valid_erspan_config(port) self._really_update_sg_rule_with_remote_group_set( context, port, port['security_groups'], is_delete=False) - self._really_update_sg_rule_with_remote_address_group_set( - context, port, port['security_groups'], is_delete=False) self._insert_provisioning_block(context) # Handle router gateway port creation. @@ -3428,8 +3377,6 @@ class ApicMechanismDriver(api_plus.MechanismDriver, self._delete_erspan_aim_config(context, port) self._really_update_sg_rule_with_remote_group_set( context, port, port['security_groups'], is_delete=True) - self._really_update_sg_rule_with_remote_address_group_set( - context, port, port['security_groups'], is_delete=True) # Set status of floating ip DOWN. self._update_floatingip_status( @@ -3633,6 +3580,32 @@ class ApicMechanismDriver(api_plus.MechanismDriver, remote_ips.append(fixed_ip['ip_address']) remote_group_id = sg_rule['remote_group_id'] + + elif sg_rule.get('remote_address_group_id'): + remote_ips = [] + + query = BAKERY(lambda s: s.query( + ag_db.AddressAssociation)) + query += lambda q: q.filter( + sg_models.SecurityGroupRule.remote_address_group_id == + ag_db.AddressGroup.id) + + addresses = query(session).params( + ag_id=sg_rule['remote_address_group_id']).all() + + ip_version = 0 + if sg_rule['ethertype'] == 'IPv4': + ip_version = 4 + elif sg_rule['ethertype'] == 'IPv6': + ip_version = 6 + + for addr in addresses: + if ip_version == netaddr.IPAddress( + addr['address'].split('/')[0]).version: + remote_ips.append(addr['address']) + + remote_group_id = '' + else: remote_ips = ([sg_rule['remote_ip_prefix']] if sg_rule['remote_ip_prefix'] else '') diff --git a/gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py b/gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py index b4436ac6d..119f86a71 100644 --- a/gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py +++ b/gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py @@ -11460,22 +11460,15 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork): sg_rule1['id'], 'default', default_sg_id, tenant_aname) self.assertEqual(aim_sg_rule.remote_ips, []) - def test_update_sg_rule_with_remote_address_group_set(self): - # Create network. + def test_sg_rule_with_remote_address_group(self): net_resp = self._make_network(self.fmt, 'net1', True) - net = net_resp['network'] - - # Create subnet - subnet = self._make_subnet(self.fmt, net_resp, '10.0.1.1', - '10.0.1.0/24')['subnet'] - subnet_id = subnet['id'] - fixed_ips = [{'subnet_id': subnet_id, 'ip_address': '10.0.1.100'}] - - # create port with security group having rule - # with remote_address_group_id set + self._make_subnet(self.fmt, net_resp, '10.0.1.1', + '10.0.1.0/24')['subnet'] sg = self._make_security_group(self.fmt, 'test', 'test remote address group') sg_id = sg['security_group']['id'] + + # Create Address group ag = self._test_create_address_group(name='foo', addresses=['10.0.1.0/24', '192.168.0.1/32']) @@ -11483,38 +11476,24 @@ class TestPortOnPhysicalNode(TestPortVlanNetwork): rule = self._build_security_group_rule( sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, '33', '2', remote_address_group_id=ag_id, ethertype=n_constants.IPv4) + + # Create security group rule with address group rule rules = {'security_group_rules': [rule['security_group_rule']]} sg_rule = self._make_security_group_rule( self.fmt, rules)['security_group_rules'][0] - port = self._make_port(self.fmt, net['id'], fixed_ips=fixed_ips, - security_groups=[sg_id])['port'] + tenant_aname = self.name_mapper.project(None, sg['security_group']['tenant_id']) aim_sg_rule = self._get_sg_rule( sg_rule['id'], 'default', sg_id, tenant_aname) + self.assertEqual(aim_sg_rule.remote_ips, ['10.0.1.0/24', '192.168.0.1/32']) - # delete SG group - data = {'port': {'security_groups': []}} - port = self._update('ports', port['id'], data)['port'] - aim_sg_rule = self._get_sg_rule( - sg_rule['id'], 'default', sg_id, tenant_aname) - self.assertEqual(aim_sg_rule.remote_ips, []) - - # add security group - data = {'port': {'security_groups': [sg_id]}} - port = self._update('ports', port['id'], data)['port'] - aim_sg_rule = self._get_sg_rule( - sg_rule['id'], 'default', sg_id, tenant_aname) - self.assertEqual(aim_sg_rule.remote_ips, - ['10.0.1.0/24', '192.168.0.1/32']) - - # Delete port - self._delete('ports', port['id']) - aim_sg_rule = self._get_sg_rule( - sg_rule['id'], 'default', sg_id, tenant_aname) - self.assertEqual(aim_sg_rule.remote_ips, []) + # Delete security group rule referenced with address group + self._delete('security-group-rules', sg_rule['id']) + # Delete Address group + self._delete('address-groups', ag['address_group']['id']) def test_create_sg_rule_with_remote_group_set_different_tenant(self): # Create network.