Restore FEATURE_ROUTER_FIREWALL, remove nat_pass usage

This patch restores FEATURE_ROUTER_FIREWALL, since the corresponding
feature is still available in NSX 4.0.1 onwards, but dropt usage of
the deprecated nat_pass parameter in favour of firewall_match.

All existing supported NSX releases can leverage the firewall_match
parameter for NAT rules.

Change-Id: I1dd5d2582ee291ce08af541c1a9a30ea86b33503
(cherry picked from commit 7624236634)

vmware_nsxlib/tests/unit/v3/test_resources.py

@@ -989,8 +989,8 @@ class LogicalRouterTestCase(BaseTestResource):
             'logging': logging
         }
         if add_bypass_arg and not firewall_match:
-            # Expect nat_pass to be sent to the backend
+            # When bypass is specified we either set match to internal addr
-            data['nat_pass'] = False
+            data['firewall_match'] = 'MATCH_INTERNAL_ADDRESS'
         elif firewall_match:
             data['firewall_match'] = firewall_match
 

vmware_nsxlib/tests/unit/v3/test_utils.py

@@ -375,14 +375,6 @@ class NsxFeaturesTestCase(nsxlib_testcase.NsxLibTestCase):
         self.assertTrue(self.nsxlib.feature_supported(
             nsx_constants.FEATURE_EXCLUDE_PORT_BY_TAG))
 
-    def test_v4_features(self):
-        self.nsxlib.nsx_version = "4.0.1"
-        self.assertFalse(self.nsxlib.feature_supported(
-            nsx_constants.FEATURE_ROUTER_FIREWALL))
-        self.nsxlib.nsx_version = "4.0.0"
-        self.assertTrue(self.nsxlib.feature_supported(
-            nsx_constants.FEATURE_ROUTER_FIREWALL))
-
     def test_v2_features_plus(self):
         self.test_v2_features(current_version='2.0.1')
 

vmware_nsxlib/v3/__init__.py

@@ -148,12 +148,6 @@ class NsxLib(lib.NsxLibBase):
         return node.get('export_type') == 'RESTRICTED'
 
     def feature_supported(self, feature):
-        if (version.LooseVersion(self.get_version()) >=
-            version.LooseVersion(nsx_constants.NSX_VERSION_4_0_1)):
-            # feature added since 2.0, removed since 4.0.1
-            if feature == nsx_constants.FEATURE_ROUTER_FIREWALL:
-                return False
-
         if (version.LooseVersion(self.get_version()) >=
             version.LooseVersion(nsx_constants.NSX_VERSION_3_1_0)):
             # features available since 3.1.0

vmware_nsxlib/v3/core_resources.py

@@ -636,14 +636,19 @@ class NsxLibLogicalRouter(utils.NsxLibApiBase):
                 'destination_ports': match_ports,
                 'l4_protocol': match_protocol or nsx_constants.TCP}
 
-        # nat_pass parameter is supported with the router firewall feature
+        # the router firewall feature is implemented with the firewall_match
-        # this parameter is deprecated, and should never be used
+        # paramter which has replaced nat_pass
         if (self.nsxlib and
             self.nsxlib.feature_supported(
                 nsx_constants.FEATURE_ROUTER_FIREWALL)):
-            # only consider nat_pass if firewall_match is not specified
+            # only consider bypass_firewall if firewall_match is not specified
             if not firewall_match:
-                body['nat_pass'] = bypass_firewall
+                if bypass_firewall:
+                    body['firewall_match'] = (
+                        nsx_constants.NAT_FIREWALL_MATCH_BYPASS)
+                else:
+                    body['firewall_match'] = (
+                        nsx_constants.NAT_FIREWALL_MATCH_INTERNAL)
             else:
                 body['firewall_match'] = firewall_match
         elif not bypass_firewall or firewall_match:

vmware_nsxlib/v3/nsx_constants.py

@@ -165,7 +165,6 @@ NSX_VERSION_3_1_0 = '3.1.0'
 NSX_VERSION_3_2_0 = '3.2.0'
 NSX_VERSION_3_2_1 = '3.2.1'
 NSX_VERSION_4_0_0 = '4.0.0'
-NSX_VERSION_4_0_1 = '4.0.1'
 
 # Features available depending on the NSX Manager backend version
 FEATURE_MAC_LEARNING = 'MAC Learning'