├── .coveragerc ├── .gitignore ├── .gitreview ├── .mailmap ├── .pre-commit-config.yaml ├── .pylintrc ├── .stestr.conf ├── .zuul.yaml ├── CONTRIBUTING.rst ├── HACKING.rst ├── LICENSE ├── README.rst ├── TESTING.rst ├── bindep.txt ├── devstack ├── README.rst ├── lib │ ├── l2_agent │ └── l3_agent ├── plugin.sh └── settings ├── doc ├── requirements.txt └── source │ ├── _static │ └── .placeholder │ ├── conf.py │ ├── configuration │ ├── fwaas_driver.rst │ ├── index.rst │ ├── neutron_fwaas.rst │ ├── policy-sample.rst │ ├── policy.rst │ └── samples │ │ ├── fwaas_driver.rst │ │ └── neutron_fwaas.rst │ ├── contributor │ ├── contributing.rst │ ├── devstack.rst │ ├── fwaas_v2.rst │ ├── index.rst │ └── modules.rst │ ├── index.rst │ └── install │ └── index.rst ├── etc ├── README.txt ├── neutron │ └── rootwrap.d │ │ └── fwaas-privsep.filters ├── oslo-config-generator │ ├── fwaas_driver.ini │ └── neutron_fwaas.conf └── oslo-policy-generator │ └── policy.conf ├── neutron_fwaas ├── __init__.py ├── _i18n.py ├── cmd │ ├── __init__.py │ └── upgrade_checks │ │ ├── __init__.py │ │ └── checks.py ├── common │ ├── __init__.py │ ├── exceptions.py │ ├── fwaas_constants.py │ └── resources.py ├── db │ ├── __init__.py │ ├── firewall │ │ ├── __init__.py │ │ └── v2 │ │ │ ├── __init__.py │ │ │ └── firewall_db_v2.py │ ├── migration │ │ ├── __init__.py │ │ └── alembic_migrations │ │ │ ├── README │ │ │ ├── __init__.py │ │ │ ├── env.py │ │ │ ├── script.py.mako │ │ │ └── versions │ │ │ ├── 2023.2 │ │ │ └── expand │ │ │ │ └── 6941ce70131e_add_standard_attr_id.py │ │ │ ├── 2025.1 │ │ │ ├── contract │ │ │ │ └── 1007f519ea46_drop_v1.py │ │ │ └── expand │ │ │ │ └── 2a0d33e9ef63_add_pk_firewall_group_associations_v2.py │ │ │ ├── 4202e3047e47_add_index_tenant_id.py │ │ │ ├── 540142f314f4_fwaas_router_insertion.py │ │ │ ├── 796c68dffbb_cisco_csr_fwaas.py │ │ │ ├── CONTRACT_HEAD │ │ │ ├── EXPAND_HEAD │ │ │ ├── kilo_release.py │ │ │ ├── liberty │ │ │ ├── contract │ │ │ │ └── 67c8e8d61d5_initial.py │ │ │ └── expand │ │ │ │ ├── 4b47ea298795_add_reject_rule.py │ │ │ │ └── c40fbb377ad_initial.py │ │ │ ├── mitaka │ │ │ └── contract │ │ │ │ └── 458aa42b14b_fw_table_alter.py │ │ │ ├── newton │ │ │ ├── contract │ │ │ │ └── f83a0b2964d0_rename_tenant_to_project.py │ │ │ └── expand │ │ │ │ └── d6a12e637e28_neutron_fwaas_v2_0.py │ │ │ ├── pike │ │ │ └── contract │ │ │ │ └── fd38cd995cc0_shared_attribute_for_firewall_resources.py │ │ │ ├── queens │ │ │ └── expand │ │ │ │ ├── 876782258a43_create_default_firewall_groups_table.py │ │ │ │ └── f24e0d5e5bff_uniq_firewallgroupportassociation0port.py │ │ │ └── start_neutron_fwaas.py │ └── models │ │ ├── __init__.py │ │ └── head.py ├── extensions │ ├── __init__.py │ ├── firewall_v2.py │ └── firewall_v2_stdattrs.py ├── opts.py ├── policies │ ├── __init__.py │ ├── firewall_group.py │ ├── firewall_policy.py │ └── firewall_rule.py ├── privileged │ ├── __init__.py │ ├── netfilter_log │ │ ├── __init__.py │ │ └── libnetfilter_log.py │ ├── netlink_constants.py │ ├── netlink_lib.py │ ├── tests │ │ ├── __init__.py │ │ └── functional │ │ │ ├── __init__.py │ │ │ ├── dummy.py │ │ │ └── utils.py │ └── utils.py ├── services │ ├── __init__.py │ ├── firewall │ │ ├── __init__.py │ │ ├── fwaas_plugin_v2.py │ │ └── service_drivers │ │ │ ├── __init__.py │ │ │ ├── agents │ │ │ ├── __init__.py │ │ │ ├── agents.py │ │ │ ├── drivers │ │ │ │ ├── __init__.py │ │ │ │ ├── conntrack_base.py │ │ │ │ ├── fwaas_base.py │ │ │ │ ├── fwaas_base_v2.py │ │ │ │ └── linux │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── iptables_fwaas_v2.py │ │ │ │ │ ├── l2 │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── driver_base.py │ │ │ │ │ ├── noop │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ └── noop_driver.py │ │ │ │ │ └── openvswitch_firewall │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── constants.py │ │ │ │ │ │ ├── exceptions.py │ │ │ │ │ │ ├── firewall.py │ │ │ │ │ │ └── rules.py │ │ │ │ │ ├── legacy_conntrack.py │ │ │ │ │ └── netlink_conntrack.py │ │ │ ├── firewall_agent_api.py │ │ │ ├── firewall_service.py │ │ │ ├── l2 │ │ │ │ ├── __init__.py │ │ │ │ └── fwaas_v2.py │ │ │ └── l3reference │ │ │ │ ├── __init__.py │ │ │ │ └── firewall_l3_agent_v2.py │ │ │ ├── driver_api.py │ │ │ └── ovn │ │ │ ├── __init__.py │ │ │ ├── acl.py │ │ │ ├── constants.py │ │ │ ├── exceptions.py │ │ │ └── firewall_l3_driver.py │ └── logapi │ │ ├── __init__.py │ │ ├── agents │ │ ├── __init__.py │ │ ├── drivers │ │ │ ├── __init__.py │ │ │ └── iptables │ │ │ │ ├── __init__.py │ │ │ │ ├── driver.py │ │ │ │ └── log.py │ │ └── l3 │ │ │ ├── __init__.py │ │ │ └── fwg_log.py │ │ ├── common │ │ ├── __init__.py │ │ ├── fwg_callback.py │ │ ├── log_db_api.py │ │ └── port_callback.py │ │ ├── constants.py │ │ ├── exceptions.py │ │ ├── fwg_validate.py │ │ └── rpc │ │ ├── __init__.py │ │ └── log_server.py ├── tests │ ├── __init__.py │ ├── base.py │ ├── contrib │ │ ├── README │ │ ├── filters.template │ │ ├── functional-testing.filters │ │ ├── gate_hook.sh │ │ ├── gate_hook_tempest.sh │ │ ├── hooks │ │ │ ├── api_extensions-base │ │ │ ├── api_extensions-legacy │ │ │ ├── api_extensions-v1 │ │ │ ├── api_extensions-v2 │ │ │ └── iptables_verify │ │ └── post_test_hook.sh │ ├── fullstack │ │ ├── README │ │ ├── __init__.py │ │ ├── base.py │ │ ├── resources │ │ │ ├── __init__.py │ │ │ ├── client.py │ │ │ ├── config.py │ │ │ ├── environment.py │ │ │ ├── machine.py │ │ │ └── process.py │ │ └── test_l3_agent.py │ ├── functional │ │ ├── __init__.py │ │ ├── db │ │ │ ├── __init__.py │ │ │ └── test_migrations.py │ │ ├── privileged │ │ │ ├── __init__.py │ │ │ ├── test_dummy.py │ │ │ ├── test_netlink_lib.py │ │ │ └── test_utils.py │ │ └── services │ │ │ ├── __init__.py │ │ │ └── logapi │ │ │ ├── __init__.py │ │ │ └── agents │ │ │ ├── __init__.py │ │ │ └── drivers │ │ │ ├── __init__.py │ │ │ └── iptables │ │ │ ├── __init__.py │ │ │ └── test_log.py │ └── unit │ │ ├── __init__.py │ │ ├── cmd │ │ ├── __init__.py │ │ └── upgrade_checks │ │ │ ├── __init__.py │ │ │ └── test_checks.py │ │ ├── db │ │ ├── __init__.py │ │ └── firewall │ │ │ ├── __init__.py │ │ │ └── v2 │ │ │ ├── __init__.py │ │ │ └── test_firewall_db_v2.py │ │ ├── policies │ │ ├── __init__.py │ │ ├── test_firewall_group.py │ │ ├── test_firewall_policy.py │ │ └── test_firewall_rule.py │ │ ├── privileged │ │ ├── __init__.py │ │ ├── netfilter_log │ │ │ ├── __init__.py │ │ │ └── test_libnetfilter_log.py │ │ ├── test_netlink_lib.py │ │ └── test_utils.py │ │ └── services │ │ ├── __init__.py │ │ ├── firewall │ │ ├── __init__.py │ │ ├── service_drivers │ │ │ ├── __init__.py │ │ │ ├── agents │ │ │ │ ├── __init__.py │ │ │ │ ├── drivers │ │ │ │ │ ├── __init__.py │ │ │ │ │ └── linux │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── l2 │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── noop │ │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ │ └── test_noop_driver.py │ │ │ │ │ │ └── openvswitch_firewall │ │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ │ ├── test_firewall.py │ │ │ │ │ │ │ └── test_rules.py │ │ │ │ │ │ ├── test_iptables_fwaas_v2.py │ │ │ │ │ │ ├── test_legacy_conntrack.py │ │ │ │ │ │ └── test_netlink_conntrack.py │ │ │ │ ├── l2 │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── fake_data.py │ │ │ │ │ └── test_fwaas_v2.py │ │ │ │ ├── l3reference │ │ │ │ │ ├── __init__.py │ │ │ │ │ └── test_firewall_l3_agent_v2.py │ │ │ │ ├── test_agents.py │ │ │ │ ├── test_firewall_agent_api.py │ │ │ │ └── test_firewall_service.py │ │ │ ├── ovn │ │ │ │ ├── __init__.py │ │ │ │ └── test_firewall_l3_driver.py │ │ │ └── test_driver_api.py │ │ └── test_fwaas_plugin_v2.py │ │ └── logapi │ │ ├── __init__.py │ │ ├── agents │ │ ├── __init__.py │ │ ├── drivers │ │ │ ├── __init__.py │ │ │ └── iptables │ │ │ │ ├── __init__.py │ │ │ │ ├── test_driver.py │ │ │ │ └── test_log.py │ │ └── l3 │ │ │ ├── __init__.py │ │ │ └── test_fwg_log.py │ │ ├── base.py │ │ ├── common │ │ ├── __init__.py │ │ ├── test_fwg_callback.py │ │ ├── test_log_db_api.py │ │ └── test_port_callback.py │ │ ├── rpc │ │ ├── __init__.py │ │ └── test_log_server.py │ │ └── test_fwg_validate.py └── version.py ├── playbooks └── configure_functional_job.yaml ├── pyproject.toml ├── releasenotes ├── notes │ ├── .placeholder │ ├── add-missing-pk-firewall_group_associations_v2-3fddb21b3a19b598.yaml │ ├── adding-new-tables-for-future-consumption-ffd537c1f82e2e01.yaml │ ├── auto-association-default-firewall-group-7e9faf1afca1df85.yaml │ ├── bug-1702242-c917c832ac2fa4e1.yaml │ ├── bug-1746404-493a66faac333403.yaml │ ├── bug-1799358-360c6ab27a32e0ac.yaml │ ├── cisco-fwaas-driver-move-8f46325d13c93543.yaml │ ├── coexistence-between-sg-and-fwg-1f77a755539a9463.yaml │ ├── config-file-generation-265c5256668a26bf.yaml │ ├── deprecate-neutron-fwaas-as-stadium-project-934d6acb3e824249.yaml │ ├── drop-python-2-7-73d3113c69d724c1.yaml │ ├── drop-python-3-6-and-3-7-b1cf8738aaab988f.yaml │ ├── enable-quotas-a3d0a21743bb1985.yaml │ ├── fix-fwaas-log-duplication-85159dc33e43f095.yaml │ ├── fwaas-config-9c780ccfb0e7887f.yaml │ ├── fwaas-v2-logging-79cbaa43ff17f47f.yaml │ ├── fwaas_v2-374471c215af0ca0.yaml │ ├── mcafee-fwaas-driver-removal-8915271e5d4288cf.yaml │ ├── ovs-firewall-driver-c347ea0a560b7e38.yaml │ ├── remove-v1-to-v2-migration-4c5b7f60c6843739.yaml │ ├── remove_fwaas_v1-15c6e19484f46d1b.yaml │ ├── s-rbac-api-policies-added-4dc1db4ff91fbbed.yaml │ ├── support-l3-firewall-for-ovn-driver-3f5632ad13cf35fd.yaml │ ├── validation_if_port_is_supported-639d0df705eb67f9.yaml │ ├── varmour-fwaas-driver-removal-f7aa304a4544134a.yaml │ └── vyatta-fwaas-driver-removal-e38e6ecde5105084.yaml └── source │ ├── 2023.1.rst │ ├── 2023.2.rst │ ├── 2024.1.rst │ ├── 2024.2.rst │ ├── 2025.1.rst │ ├── _static │ └── .placeholder │ ├── _templates │ └── .placeholder │ ├── conf.py │ ├── index.rst │ ├── liberty.rst │ ├── locale │ ├── en_GB │ │ └── LC_MESSAGES │ │ │ └── releasenotes.po │ └── fr │ │ └── LC_MESSAGES │ │ └── releasenotes.po │ ├── mitaka.rst │ ├── newton.rst │ ├── ocata.rst │ ├── pike.rst │ ├── queens.rst │ ├── rocky.rst │ ├── stein.rst │ ├── unreleased.rst │ └── zed.rst ├── requirements.txt ├── roles └── configure_functional_tests │ ├── README.rst │ ├── defaults │ └── main.yaml │ └── tasks │ └── main.yaml ├── setup.cfg ├── setup.py ├── test-requirements.txt ├── tools ├── check_unit_test_structure.sh ├── clean.sh ├── configure_for_func_testing.sh ├── configure_for_fwaas_func_testing.sh ├── deploy_rootwrap.sh └── generate_config_file_samples.sh └── tox.ini /.coveragerc: -------------------------------------------------------------------------------- 1 | [run] 2 | branch = True 3 | source = neutron_fwaas 4 | omit = neutron_fwaas/tests/* 5 | 6 | [report] 7 | ignore_errors = True 8 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | AUTHORS 2 | build/* 3 | build-stamp 4 | ChangeLog 5 | cover/ 6 | covhtml/ 7 | dist/ 8 | doc/build 9 | doc/source/_static/config_samples/*.sample 10 | doc/source/_static/*.policy.yaml.sample 11 | doc/source/contributor/api/ 12 | etc/*.sample 13 | *.DS_Store 14 | *.pyc 15 | neutron.egg-info/ 16 | neutron_fwaas.egg-info/ 17 | neutron/vcsversion.py 18 | neutron/versioninfo 19 | pbr*.egg/ 20 | run_tests.err.log 21 | run_tests.log 22 | setuptools*.egg/ 23 | subunit.log 24 | *.mo 25 | *.sw? 26 | *~ 27 | /.* 28 | !/.coveragerc 29 | !/.gitignore 30 | !/.gitreview 31 | !/.mailmap 32 | !/.pylintrc 33 | !/.zuul.yaml 34 | !/.stestr.conf 35 | 36 | # Files created by releasenotes build 37 | releasenotes/build 38 | -------------------------------------------------------------------------------- /.gitreview: -------------------------------------------------------------------------------- 1 | [gerrit] 2 | host=review.opendev.org 3 | port=29418 4 | project=openstack/neutron-fwaas.git 5 | -------------------------------------------------------------------------------- /.mailmap: -------------------------------------------------------------------------------- 1 | # Format is: 2 | # 3 | # 4 | lawrancejing 5 | Jiajun Liu 6 | Zhongyue Luo 7 | Kun Huang 8 | Zhenguo Niu 9 | Isaku Yamahata 10 | Isaku Yamahata 11 | Morgan Fainberg 12 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default_language_version: 3 | # force all unspecified python hooks to run python3 4 | python: python3 5 | repos: 6 | - repo: https://github.com/pre-commit/pre-commit-hooks 7 | rev: v5.0.0 8 | hooks: 9 | - id: trailing-whitespace 10 | - id: mixed-line-ending 11 | args: ['--fix', 'lf'] 12 | exclude: '.*\.(svg)$' 13 | - id: check-byte-order-marker 14 | - id: check-executables-have-shebangs 15 | - id: check-merge-conflict 16 | - id: debug-statements 17 | - id: check-json 18 | files: .*\.json$ 19 | - id: check-yaml 20 | files: .*\.(yaml|yml)$ 21 | - repo: https://github.com/Lucas-C/pre-commit-hooks 22 | rev: v1.5.5 23 | hooks: 24 | - id: remove-tabs 25 | exclude: '.*\.(svg)$' 26 | - repo: local 27 | hooks: 28 | - id: flake8 29 | name: flake8 30 | additional_dependencies: 31 | - hacking>=6.1.0,<6.2.0 32 | - neutron-lib 33 | language: python 34 | entry: flake8 35 | files: '^.*\.py$' 36 | exclude: '^(doc|releasenotes|tools)/.*$' 37 | -------------------------------------------------------------------------------- /.pylintrc: -------------------------------------------------------------------------------- 1 | # The format of this file isn't really documented; just use --generate-rcfile 2 | [MASTER] 3 | # Add to the black list. It should be a base name, not a 4 | # path. You may set this option multiple times. 5 | # 6 | ignore=.git,tests 7 | 8 | [MESSAGES CONTROL] 9 | # NOTE(gus): This is a long list. A number of these are important and 10 | # should be re-enabled once the offending code is fixed (or marked 11 | # with a local disable) 12 | disable= 13 | # "F" Fatal errors that prevent further processing 14 | import-error, 15 | # "I" Informational noise 16 | locally-disabled, 17 | # "E" Error for important programming issues (likely bugs) 18 | access-member-before-definition, 19 | bad-super-call, 20 | maybe-no-member, 21 | no-member, 22 | no-method-argument, 23 | no-self-argument, 24 | not-callable, 25 | no-value-for-parameter, 26 | super-on-old-class, 27 | too-few-format-args, 28 | # "W" Warnings for stylistic problems or minor programming issues 29 | abstract-method, 30 | anomalous-backslash-in-string, 31 | anomalous-unicode-escape-in-string, 32 | arguments-differ, 33 | attribute-defined-outside-init, 34 | bad-builtin, 35 | bad-indentation, 36 | broad-except, 37 | dangerous-default-value, 38 | deprecated-lambda, 39 | duplicate-key, 40 | expression-not-assigned, 41 | fixme, 42 | global-statement, 43 | global-variable-not-assigned, 44 | logging-not-lazy, 45 | no-init, 46 | pointless-string-statement, 47 | protected-access, 48 | redefined-builtin, 49 | redefined-outer-name, 50 | redefine-in-handler, 51 | signature-differs, 52 | star-args, 53 | super-init-not-called, 54 | unnecessary-lambda, 55 | unnecessary-pass, 56 | unpacking-non-sequence, 57 | unreachable, 58 | unused-argument, 59 | unused-import, 60 | unused-variable, 61 | # "C" Coding convention violations 62 | bad-continuation, 63 | invalid-name, 64 | missing-docstring, 65 | old-style-class, 66 | superfluous-parens, 67 | # "R" Refactor recommendations 68 | abstract-class-little-used, 69 | abstract-class-not-used, 70 | duplicate-code, 71 | interface-not-implemented, 72 | no-self-use, 73 | too-few-public-methods, 74 | too-many-ancestors, 75 | too-many-arguments, 76 | too-many-branches, 77 | too-many-instance-attributes, 78 | too-many-lines, 79 | too-many-locals, 80 | too-many-public-methods, 81 | too-many-return-statements, 82 | too-many-statements 83 | 84 | [BASIC] 85 | # Variable names can be 1 to 31 characters long, with lowercase and underscores 86 | variable-rgx=[a-z_][a-z0-9_]{0,30}$ 87 | 88 | # Argument names can be 2 to 31 characters long, with lowercase and underscores 89 | argument-rgx=[a-z_][a-z0-9_]{1,30}$ 90 | 91 | # Method names should be at least 3 characters long 92 | # and be lowercased with underscores 93 | method-rgx=([a-z_][a-z0-9_]{2,}|setUp|tearDown)$ 94 | 95 | # Module names matching neutron-* are ok (files in bin/) 96 | module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+)|(neutron-[a-z0-9_-]+))$ 97 | 98 | # Don't require docstrings on tests. 99 | no-docstring-rgx=((__.*__)|([tT]est.*)|setUp|tearDown)$ 100 | 101 | [FORMAT] 102 | # Maximum number of characters on a single line. 103 | max-line-length=79 104 | 105 | [VARIABLES] 106 | # List of additional names supposed to be defined in builtins. Remember that 107 | # you should avoid to define new builtins when possible. 108 | # _ is used by our localization 109 | additional-builtins=_ 110 | 111 | [CLASSES] 112 | # List of interface methods to ignore, separated by a comma. 113 | ignore-iface-methods= 114 | 115 | [IMPORTS] 116 | # Deprecated modules which should not be used, separated by a comma 117 | deprecated-modules= 118 | # should use oslo_serialization.jsonutils 119 | json 120 | 121 | [TYPECHECK] 122 | # List of module names for which member attributes should not be checked 123 | ignored-modules=six.moves,_MovedItems 124 | 125 | [REPORTS] 126 | # Tells whether to display a full report or only the messages 127 | reports=no 128 | -------------------------------------------------------------------------------- /.stestr.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | test_path=${OS_TEST_PATH:-./neutron_fwaas/tests/unit} 3 | top_dir=./ 4 | -------------------------------------------------------------------------------- /.zuul.yaml: -------------------------------------------------------------------------------- 1 | - project: 2 | templates: 3 | - check-requirements 4 | - openstack-cover-jobs-neutron 5 | - openstack-python3-jobs-neutron 6 | - periodic-stable-jobs-neutron 7 | - publish-openstack-docs-pti 8 | - release-notes-jobs-python3 9 | check: 10 | jobs: 11 | - openstack-tox-docs: 12 | required-projects: 13 | - openstack/neutron-lib 14 | - openstack/neutron 15 | - neutron-fwaas-functional 16 | - neutron-tempest-plugin-fwaas-ovn 17 | - neutron-tempest-plugin-fwaas-openvswitch 18 | - neutron-fwaas-v2-dsvm-tempest-multinode 19 | gate: 20 | jobs: 21 | - openstack-tox-docs: 22 | required-projects: 23 | - openstack/neutron-lib 24 | - openstack/neutron 25 | - neutron-fwaas-functional 26 | - neutron-tempest-plugin-fwaas-ovn 27 | - neutron-tempest-plugin-fwaas-openvswitch 28 | experimental: 29 | jobs: 30 | - neutron-fwaas-fullstack 31 | - openstack-tox-py312-with-oslo-master 32 | periodic-weekly: 33 | jobs: 34 | - openstack-tox-py312 35 | - openstack-tox-py312-with-oslo-master 36 | - neutron-fwaas-functional 37 | - neutron-tempest-plugin-fwaas-ovn 38 | - neutron-tempest-plugin-fwaas-openvswitch 39 | 40 | - job: 41 | name: neutron-fwaas-functional 42 | parent: neutron-functional 43 | timeout: 2400 44 | pre-run: playbooks/configure_functional_job.yaml 45 | vars: 46 | project_name: neutron-fwaas 47 | devstack_services: 48 | INSTALL_OVN: false 49 | 50 | - job: 51 | name: neutron-fwaas-fullstack 52 | parent: neutron-fullstack 53 | vars: 54 | project_name: neutron-fwaas 55 | 56 | - job: 57 | name: neutron-fwaas-v2-dsvm-tempest-multinode 58 | parent: neutron-ovs-tempest-multinode-full 59 | roles: 60 | - zuul: openstack/devstack 61 | required-projects: 62 | - openstack/neutron 63 | - openstack/neutron-fwaas 64 | - openstack/neutron-tempest-plugin 65 | - openstack/tempest 66 | vars: 67 | tox_envlist: all 68 | tempest_test_regex: '^(neutron_tempest_plugin.fwaas)' 69 | devstack_plugins: 70 | neutron: https://opendev.org/openstack/neutron.git 71 | neutron-fwaas: https://opendev.org/openstack/neutron-fwaas.git 72 | neutron-tempest-plugin: https://opendev.org/openstack/neutron-tempest-plugin.git 73 | tempest_plugins: 74 | - neutron-tempest-plugin 75 | devstack_services: 76 | q-fwaas-v2: true 77 | devstack_localrc: 78 | NETWORK_API_EXTENSIONS: "agent,binding,dhcp_agent_scheduler,external-net,ext-gw-mode,extra_dhcp_opts,quotas,router,security-group,subnet_allocation,network-ip-availability,auto-allocated-topology,timestamp_core,tag,service-type,rbac-policies,standard-attr-description,pagination,sorting,project-id,fwaas_v2" 79 | Q_AGENT: openvswitch 80 | Q_ML2_TENANT_NETWORK_TYPE: vxlan 81 | Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch 82 | group-vars: 83 | subnode: 84 | devstack_services: 85 | q-agt: true 86 | devstack_localrc: 87 | USE_PYTHON3: true 88 | devstack_local_conf: 89 | post-config: 90 | # NOTE(slaweq): We can get rid of this hardcoded absolute path when 91 | # devstack-tempest job will be switched to use lib/neutron instead of 92 | # lib/neutron-legacy 93 | "/$NEUTRON_CORE_PLUGIN_CONF": 94 | ovs: 95 | tunnel_bridge: br-tun 96 | bridge_mappings: public:br-ex 97 | -------------------------------------------------------------------------------- /CONTRIBUTING.rst: -------------------------------------------------------------------------------- 1 | Please see the Neutron CONTRIBUTING.rst file for how to contribute to 2 | neutron-fwaas: 3 | 4 | `Neutron CONTRIBUTING.rst `_ 5 | -------------------------------------------------------------------------------- /HACKING.rst: -------------------------------------------------------------------------------- 1 | Neutron FWaaS Style Commandments 2 | ================================ 3 | 4 | Please see the Neutron HACKING.rst file for style commandments for 5 | neutron-fwaas: 6 | 7 | `Neutron HACKING.rst `_ 8 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | Team and repository tags 3 | ======================== 4 | 5 | .. image:: https://governance.openstack.org/tc/badges/neutron-fwaas.svg 6 | :target: https://governance.openstack.org/tc/reference/tags/index.html 7 | 8 | .. Change things from this point on 9 | 10 | Welcome! 11 | ======== 12 | 13 | This package contains the code for the Neutron Firewall as a Service 14 | (FWaaS) service. This package requires Neutron to run. 15 | 16 | External Resources: 17 | =================== 18 | 19 | The homepage for Neutron is: https://launchpad.net/neutron. Use this 20 | site for asking for help, and filing bugs. We use a single Launchpad 21 | page for all Neutron projects. 22 | 23 | Code is available on git.openstack.org at: 24 | . 25 | 26 | Please refer to Neutron documentation for more information: 27 | `Neutron README.rst `_ 28 | 29 | Get release notes: 30 | `Neutron FWaaS Release Notes `_ 31 | 32 | -------------------------------------------------------------------------------- /TESTING.rst: -------------------------------------------------------------------------------- 1 | Testing Neutron FWaaS 2 | ===================== 3 | 4 | Please see the TESTING.rst file for the Neutron project itself. This will have 5 | the latest up to date instructions for how to test Neutron, and will 6 | be applicable to neutron-fwaas as well: 7 | 8 | `Neutron TESTING.rst `_ 9 | 10 | For instructions on how to use FWaaS with devstack, look at: 11 | 12 | `Neutron-FWaaS DevStack `_ 13 | -------------------------------------------------------------------------------- /bindep.txt: -------------------------------------------------------------------------------- 1 | # This file contains runtime (non-python) dependencies 2 | # More info at: http://docs.openstack.org/infra/bindep/readme.html 3 | 4 | # MySQL and PostgreSQL databases since some jobs are set up in 5 | # OpenStack infra that need these like 6 | libpq-dev [test] 7 | libczmq4 [test] 8 | 9 | # Packages required e.g. in functional tests 10 | libnetfilter-log1 [platform:dpkg platform:suse] 11 | libnetfilter-log [platform:rpm !platform:suse] 12 | -------------------------------------------------------------------------------- /devstack/README.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | neutron-fwaas in DevStack 3 | ========================= 4 | 5 | This is setup as a DevStack plugin. For more information on DevStack plugins, 6 | see the `DevStack Plugins documentation 7 | `_. 8 | 9 | Please note that the old 'q-fwaas' keyword still exists, You can specify 10 | enable_service q-fwaas or enable_service q-fwaas-v2 in local.conf 11 | 12 | How to run FWaaS V2 in DevStack 13 | =============================== 14 | 15 | Add the following to the localrc section of your local.conf to configure 16 | FWaaS v2. 17 | 18 | .. code-block:: ini 19 | 20 | [[local|localrc]] 21 | enable_plugin neutron-fwaas https://git.openstack.org/openstack/neutron-fwaas 22 | 23 | To check a specific patchset that is currently under development, use a form 24 | like the below example, which is checking out change 214350 patch set 14 for 25 | testing. 26 | 27 | .. code-block:: ini 28 | 29 | [[local|localrc]] 30 | enable_plugin neutron-fwaas https://review.openstack.org/p/openstack/neutron-fwaas refs/changes/50/214350/14 31 | -------------------------------------------------------------------------------- /devstack/lib/l2_agent: -------------------------------------------------------------------------------- 1 | # This file was shamelessly stolen from the neutron repository here: 2 | # https://opendev.org/openstack/neutron/src/branch/master/devstack/lib/l2_agent 3 | 4 | function plugin_agent_add_l2_agent_extension { 5 | local l2_agent_extension=$1 6 | if [[ -z "$L2_AGENT_EXTENSIONS" ]]; then 7 | L2_AGENT_EXTENSIONS=$l2_agent_extension 8 | elif [[ ! ,${L2_AGENT_EXTENSIONS}, =~ ,${l2_agent_extension}, ]]; then 9 | L2_AGENT_EXTENSIONS+=",$l2_agent_extension" 10 | fi 11 | } 12 | 13 | 14 | function configure_l2_agent { 15 | iniset /$Q_PLUGIN_CONF_FILE agent extensions "$L2_AGENT_EXTENSIONS" 16 | } 17 | -------------------------------------------------------------------------------- /devstack/lib/l3_agent: -------------------------------------------------------------------------------- 1 | # This file is completely based on one in the neutron repository here: 2 | # https://opendev.org/openstack/neutron/src/branch/master/devstack/lib/l2_agent 3 | 4 | function plugin_agent_add_l3_agent_extension { 5 | local l3_agent_extension=$1 6 | if [[ -z "$L3_AGENT_EXTENSIONS" ]]; then 7 | L3_AGENT_EXTENSIONS=$l3_agent_extension 8 | elif [[ ! ,${L3_AGENT_EXTENSIONS}, =~ ,${l3_agent_extension}, ]]; then 9 | L3_AGENT_EXTENSIONS+=",$l3_agent_extension" 10 | fi 11 | } 12 | 13 | 14 | function configure_l3_agent { 15 | iniset $Q_L3_CONF_FILE agent extensions "$L3_AGENT_EXTENSIONS" 16 | } 17 | -------------------------------------------------------------------------------- /devstack/settings: -------------------------------------------------------------------------------- 1 | FWAAS_DRIVER_V2=${FWAAS_DRIVER_V2:-iptables_v2} 2 | FW_L2_DRIVER=${FW_L2_DRIVER:-noop} 3 | FWAAS_PLUGIN_V2=${FWAAS_PLUGIN:-firewall_v2} 4 | 5 | NEUTRON_FWAAS_DIR=$DEST/neutron-fwaas 6 | NEUTRON_FWAAS_CONF_FILE=neutron_fwaas.conf 7 | 8 | NEUTRON_FWAAS_CONF=$NEUTRON_CONF_DIR/$NEUTRON_FWAAS_CONF_FILE 9 | 10 | NEUTRON_FWAAS_SERVICE_PROVIDERV2=${NEUTRON_FWAAS_SERVICE_PROVIDERV2:-FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default} 11 | NEUTRON_FWAAS_SERVICE_PROVIDERV2_OVN=${NEUTRON_FWAAS_SERVICE_PROVIDERV2_OVN:-FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.ovn.firewall_l3_driver.OVNFwaasDriver:default} 12 | 13 | enable_service q-fwaas-v2 14 | -------------------------------------------------------------------------------- /doc/requirements.txt: -------------------------------------------------------------------------------- 1 | # The order of packages is significant, because pip processes them in the order 2 | # of appearance. Changing the order has an impact on the overall integration 3 | # process, which may cause wedges in the gate later. 4 | sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD 5 | sphinxcontrib-apidoc>=0.2.0 # BSD 6 | openstackdocstheme>=1.18.1 # Apache-2.0 7 | reno>=2.5.0 # Apache-2.0 8 | -------------------------------------------------------------------------------- /doc/source/_static/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/doc/source/_static/.placeholder -------------------------------------------------------------------------------- /doc/source/configuration/fwaas_driver.rst: -------------------------------------------------------------------------------- 1 | ================ 2 | fwaas_driver.ini 3 | ================ 4 | 5 | .. show-options:: 6 | :config-file: etc/oslo-config-generator/fwaas_driver.ini 7 | -------------------------------------------------------------------------------- /doc/source/configuration/index.rst: -------------------------------------------------------------------------------- 1 | .. _configuring: 2 | 3 | ================================= 4 | Neutron FWaaS Configuration Guide 5 | ================================= 6 | 7 | This section provides a list of all possible options for each 8 | configuration file. 9 | 10 | Configuration 11 | ------------- 12 | 13 | Neutron FWaaS uses the following configuration files for its various services. 14 | 15 | .. toctree:: 16 | :maxdepth: 1 17 | 18 | neutron_fwaas 19 | fwaas_driver 20 | 21 | The following are sample configuration files for Neutron FWaaS and utilities. 22 | These are generated from code and reflect the current state of code 23 | in the neutron-fwaas repository. 24 | 25 | .. toctree:: 26 | :glob: 27 | :maxdepth: 1 28 | 29 | samples/* 30 | 31 | Policy 32 | ------ 33 | 34 | Neutron FWaaS, like most OpenStack projects, uses a policy language to restrict 35 | permissions on REST API actions. 36 | 37 | .. toctree:: 38 | :maxdepth: 1 39 | 40 | Policy Reference 41 | Sample Policy File 42 | -------------------------------------------------------------------------------- /doc/source/configuration/neutron_fwaas.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | neutron_fwaas.conf 3 | ================== 4 | 5 | .. show-options:: 6 | :config-file: etc/oslo-config-generator/neutron_fwaas.conf 7 | -------------------------------------------------------------------------------- /doc/source/configuration/policy-sample.rst: -------------------------------------------------------------------------------- 1 | ================================ 2 | Sample Neutron FWaaS Policy File 3 | ================================ 4 | 5 | The following is a sample neutron-fwaas policy file for adaptation and use. 6 | 7 | The sample policy can also be viewed in :download:`file form 8 | `. 9 | 10 | .. important:: 11 | 12 | The sample policy file is auto-generated from neutron-fwaas when this 13 | documentation is built. You must ensure your version of neutron-fwaas 14 | matches the version of this documentation. 15 | 16 | .. literalinclude:: /_static/neutron-fwaas.policy.yaml.sample 17 | -------------------------------------------------------------------------------- /doc/source/configuration/policy.rst: -------------------------------------------------------------------------------- 1 | ====================== 2 | neutron-fwaas policies 3 | ====================== 4 | 5 | The following is an overview of all available policies in neutron-fwaas. 6 | For a sample configuration file, refer to :doc:`/configuration/policy-sample`. 7 | 8 | .. show-policy:: 9 | :config-file: etc/oslo-policy-generator/policy.conf 10 | -------------------------------------------------------------------------------- /doc/source/configuration/samples/fwaas_driver.rst: -------------------------------------------------------------------------------- 1 | ======================= 2 | Sample fwaas_driver.ini 3 | ======================= 4 | 5 | This sample configuration can also be viewed in `the raw format 6 | <../../_static/config_samples/fwaas_driver.conf.sample>`_. 7 | 8 | .. literalinclude:: ../../_static/config_samples/fwaas_driver.conf.sample 9 | -------------------------------------------------------------------------------- /doc/source/configuration/samples/neutron_fwaas.rst: -------------------------------------------------------------------------------- 1 | ========================= 2 | Sample neutron_fwaas.conf 3 | ========================= 4 | 5 | This sample configuration can also be viewed in `the raw format 6 | <../../_static/config_samples/neutron_fwaas.conf.sample>`_. 7 | 8 | .. literalinclude:: ../../_static/config_samples/neutron_fwaas.conf.sample 9 | -------------------------------------------------------------------------------- /doc/source/contributor/contributing.rst: -------------------------------------------------------------------------------- 1 | ============================= 2 | Contributing to neutron-fwaas 3 | ============================= 4 | 5 | If you would like to contribute to the development of OpenStack, you must 6 | follow the steps documented at: 7 | https://docs.openstack.org/infra/manual/developers.html 8 | 9 | Once those steps have been completed, changes to OpenStack should be submitted 10 | for review via the Gerrit tool, following the workflow documented at: 11 | https://docs.openstack.org/infra/manual/developers.html#development-workflow 12 | 13 | Pull requests submitted through GitHub will be ignored. 14 | 15 | Bugs should be filed on Launchpad in the 'neutron' project: 16 | https://bugs.launchpad.net/neutron 17 | 18 | To get in touch with the neutron-fwaas community, 19 | look at the following resources: 20 | 21 | - Join the #openstack-fwaas IRC channel on Freenode. This is where the 22 | FireWall-as-a-Service team is available for discussion. 23 | - Join the `FireWall-as-a-Service weekly IRC meeting 24 | `_ 25 | where the status of new initiatives and bugs is discussed. 26 | 27 | These are a great places to get recommendations on where to start contributing 28 | to neutron-fwaas. 29 | -------------------------------------------------------------------------------- /doc/source/contributor/devstack.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../../../devstack/README.rst 2 | -------------------------------------------------------------------------------- /doc/source/contributor/fwaas_v2.rst: -------------------------------------------------------------------------------- 1 | FireWall as a Service V2 2 | ======================== 3 | 4 | The `FireWall as a Service API V2 5 | `_ 6 | specification lists the changes that together compose FWaaS V2. These changes 7 | are not fully implemented. 8 | -------------------------------------------------------------------------------- /doc/source/contributor/index.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | Contributor Guide 3 | ================= 4 | 5 | .. toctree:: 6 | :maxdepth: 2 7 | 8 | contributing 9 | fwaas_v2 10 | devstack 11 | 12 | .. API reference contains a lot of sections, toctree with maxdepth 1 is used. 13 | .. toctree:: 14 | :glob: 15 | :maxdepth: 1 16 | 17 | modules 18 | -------------------------------------------------------------------------------- /doc/source/contributor/modules.rst: -------------------------------------------------------------------------------- 1 | ================ 2 | Module Reference 3 | ================ 4 | 5 | .. The module reference is rendered in HTML version much much better. 6 | PDF version is not good for reading due to page width, lack of TOC 7 | in subsections and so on, so we skip the module reference in PDF version. 8 | 9 | .. only:: html 10 | 11 | .. toctree:: 12 | :maxdepth: 1 13 | :glob: 14 | 15 | api/* 16 | 17 | .. only:: latex 18 | 19 | See the online version of this document for the module reference. 20 | -------------------------------------------------------------------------------- /doc/source/index.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | neutron-fwaas documentation 3 | =========================== 4 | 5 | .. warning:: 6 | Due to lack of maintainers this project is now deprecated in the Neutron 7 | stadium and will be removed from stadium in ``W`` cycle. 8 | If You want to step in and be maintainer of this project to keep it in the 9 | Neutron stadium, please contact the ``neutron team`` via 10 | openstack-discuss@lists.openstack.org or IRC channel #openstack-neutron 11 | @freenode. 12 | 13 | .. toctree:: 14 | :glob: 15 | :maxdepth: 2 16 | 17 | install/index 18 | configuration/index 19 | contributor/index 20 | 21 | .. only:: html 22 | 23 | .. rubric:: Indices and tables 24 | 25 | * :ref:`genindex` 26 | * :ref:`modindex` 27 | * :ref:`search` 28 | -------------------------------------------------------------------------------- /doc/source/install/index.rst: -------------------------------------------------------------------------------- 1 | .. 2 | Licensed under the Apache License, Version 2.0 (the "License"); you may 3 | not use this file except in compliance with the License. You may obtain 4 | a copy of the License at 5 | 6 | http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | Unless required by applicable law or agreed to in writing, software 9 | distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 10 | WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 11 | License for the specific language governing permissions and limitations 12 | under the License. 13 | 14 | 15 | Convention for heading levels in Neutron devref: 16 | ======= Heading 0 (reserved for the title in a document) 17 | ------- Heading 1 18 | ~~~~~~~ Heading 2 19 | +++++++ Heading 3 20 | ''''''' Heading 4 21 | (Avoid deeper levels because they do not render well.) 22 | 23 | 24 | ============ 25 | Installation 26 | ============ 27 | 28 | At the command line:: 29 | 30 | $ pip install neutron-fwaas 31 | 32 | Or, if you have virtualenvwrapper installed:: 33 | 34 | $ mkvirtualenv neutron-fwaas 35 | $ pip install neutron-fwaas 36 | 37 | For information on what to do with FWaaS once it is installed, please check the 38 | Networking Guide `Firewall-as-a-Service (FWaaS) v2 scenario `_ or 39 | the `Firewall-as-a-Service (FWaaS) v1 scenario `_. 40 | -------------------------------------------------------------------------------- /etc/README.txt: -------------------------------------------------------------------------------- 1 | To generate the sample neutron-fwaas configuration files, run the following 2 | command from the top level of the neutron-fwaas directory: 3 | 4 | tox -e genconfig 5 | 6 | If a 'tox' environment is unavailable, then you can run the following script 7 | instead to generate the configuration files: 8 | 9 | ./tools/generate_config_file_samples.sh 10 | -------------------------------------------------------------------------------- /etc/neutron/rootwrap.d/fwaas-privsep.filters: -------------------------------------------------------------------------------- 1 | # neutron-fwaas privsep filters 2 | 3 | # This file should be owned by (and only-writeable by) the root user 4 | 5 | [Filters] 6 | 7 | privsep-rootwrap: PathFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, neutron_fwaas.privileged.default 8 | -------------------------------------------------------------------------------- /etc/oslo-config-generator/fwaas_driver.ini: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | output_file = etc/fwaas_driver.ini.sample 3 | wrap_width = 79 4 | 5 | namespace = firewall.agent 6 | -------------------------------------------------------------------------------- /etc/oslo-config-generator/neutron_fwaas.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | output_file = etc/neutron_fwaas.conf.sample 3 | wrap_width = 79 4 | 5 | namespace = neutron.fwaas 6 | 7 | -------------------------------------------------------------------------------- /etc/oslo-policy-generator/policy.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | output_file = etc/policy.yaml.sample 3 | namespace = neutron-fwaas 4 | -------------------------------------------------------------------------------- /neutron_fwaas/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2011 OpenStack Foundation 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | import gettext 17 | 18 | 19 | gettext.install('neutron') 20 | -------------------------------------------------------------------------------- /neutron_fwaas/_i18n.py: -------------------------------------------------------------------------------- 1 | # All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import oslo_i18n 16 | 17 | DOMAIN = "neutron_fwaas" 18 | 19 | _translators = oslo_i18n.TranslatorFactory(domain=DOMAIN) 20 | 21 | # The primary translation function using the well-known name "_" 22 | _ = _translators.primary 23 | 24 | # The contextual translation function using the name "_C" 25 | _C = _translators.contextual_form 26 | 27 | # The plural translation function using the name "_P" 28 | _P = _translators.plural_form 29 | 30 | 31 | def get_available_languages(): 32 | return oslo_i18n.get_available_languages(DOMAIN) 33 | -------------------------------------------------------------------------------- /neutron_fwaas/cmd/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/cmd/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/cmd/upgrade_checks/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/cmd/upgrade_checks/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/cmd/upgrade_checks/checks.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Red Hat Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from neutron_lib.utils import upgrade_checks as base_checks 16 | from oslo_config import cfg 17 | from oslo_upgradecheck import upgradecheck 18 | 19 | from neutron_fwaas._i18n import _ 20 | 21 | 22 | class Checks(base_checks.BaseChecks): 23 | 24 | def get_checks(self): 25 | return [ 26 | (_("Check FWaaS v1"), self.fwaas_v1_check) 27 | ] 28 | 29 | @staticmethod 30 | def fwaas_v1_check(checker): 31 | fwaas_v1_names = [ 32 | 'firewall', 33 | 'neutron_fwaas.services.firewall.fwaas_plugin:FirewallPlugin'] 34 | for name in fwaas_v1_names: 35 | if name in cfg.CONF.service_plugins: 36 | return upgradecheck.Result( 37 | upgradecheck.Code.FAILURE, 38 | _("FWaaS v1 is removed. " 39 | "FWaaS v2 should be used instead.")) 40 | return upgradecheck.Result(upgradecheck.Code.SUCCESS) 41 | -------------------------------------------------------------------------------- /neutron_fwaas/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/common/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/common/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Fujitsu Limited. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron_lib import exceptions as n_exc 17 | 18 | from neutron_fwaas._i18n import _ 19 | 20 | 21 | # TODO(annp): migrate to neutron-lib after Queen release 22 | class FirewallGroupPortNotSupported(n_exc.Conflict): 23 | message = _("Port %(port_id)s is not supported by firewall driver " 24 | "'%(driver_name)s'.") 25 | -------------------------------------------------------------------------------- /neutron_fwaas/common/fwaas_constants.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 Cisco Systems, Inc 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | FIREWALL = 'FIREWALL' 17 | FIREWALL_V2 = 'FIREWALL_V2' 18 | 19 | # Constants for "topics" 20 | FIREWALL_PLUGIN = 'q-firewall-plugin' 21 | FW_AGENT = 'firewall_agent' 22 | FIREWALL_RULE_LIST = 'firewall_rule_list' 23 | 24 | # V2 Constants 25 | DEFAULT_FWG = 'default' 26 | DEFAULT_FWP_INGRESS = 'default ingress' 27 | DEFAULT_FWP_EGRESS = 'default egress' 28 | 29 | # Firewall group events for agent-side 30 | DELETE_FWG = 'delete_firewall_group' 31 | UPDATE_FWG = 'update_firewall_group' 32 | CREATE_FWG = 'create_firewall_group' 33 | 34 | # Port events for L2 agent extension 35 | HANDLE_PORT = 'handle_port' 36 | DELETE_PORT = 'delete_port' 37 | 38 | # Resource name 39 | 40 | FIREWALL_GROUP = 'firewall_group' 41 | FIREWALL_RULE = 'firewall_rule' 42 | FIREWALL_POLICY = 'firewall_policy' 43 | -------------------------------------------------------------------------------- /neutron_fwaas/common/resources.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 2 | # not use this file except in compliance with the License. You may obtain 3 | # a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 | # License for the specific language governing permissions and limitations 11 | # under the License. 12 | 13 | from neutron_fwaas.db.firewall.v2 import firewall_db_v2 14 | 15 | FIREWALL_GROUP = firewall_db_v2.FirewallGroup 16 | FIREWALL_POLICY = firewall_db_v2.FirewallPolicy 17 | FIREWALL_RULE = firewall_db_v2.FirewallRuleV2 18 | -------------------------------------------------------------------------------- /neutron_fwaas/db/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/db/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/db/firewall/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/db/firewall/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/db/firewall/v2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/db/firewall/v2/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/db/migration/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/README: -------------------------------------------------------------------------------- 1 | Generic single-database configuration. -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/db/migration/alembic_migrations/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/env.py: -------------------------------------------------------------------------------- 1 | # Copyright 2014 OpenStack Foundation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from logging import config as logging_config 16 | 17 | from alembic import context 18 | from neutron_lib.db import model_base 19 | from oslo_config import cfg 20 | from oslo_db.sqlalchemy import session 21 | import sqlalchemy as sa 22 | from sqlalchemy import event 23 | 24 | 25 | MYSQL_ENGINE = None 26 | FWAAS_VERSION_TABLE = 'alembic_version_fwaas' 27 | config = context.config 28 | neutron_config = config.neutron_config 29 | logging_config.fileConfig(config.config_file_name) 30 | target_metadata = model_base.BASEV2.metadata 31 | 32 | 33 | def set_mysql_engine(): 34 | try: 35 | mysql_engine = neutron_config.command.mysql_engine 36 | except cfg.NoSuchOptError: 37 | mysql_engine = None 38 | 39 | global MYSQL_ENGINE 40 | MYSQL_ENGINE = (mysql_engine or 41 | model_base.BASEV2.__table_args__['mysql_engine']) 42 | 43 | 44 | def run_migrations_offline(): 45 | set_mysql_engine() 46 | 47 | kwargs = dict() 48 | if neutron_config.database.connection: 49 | kwargs['url'] = neutron_config.database.connection 50 | else: 51 | kwargs['dialect_name'] = neutron_config.database.engine 52 | kwargs['version_table'] = FWAAS_VERSION_TABLE 53 | context.configure(**kwargs) 54 | 55 | with context.begin_transaction(): 56 | context.run_migrations() 57 | 58 | 59 | @event.listens_for(sa.Table, 'after_parent_attach') 60 | def set_storage_engine(target, parent): 61 | if MYSQL_ENGINE: 62 | target.kwargs['mysql_engine'] = MYSQL_ENGINE 63 | 64 | 65 | def run_migrations_online(): 66 | set_mysql_engine() 67 | engine = session.create_engine(neutron_config.database.connection) 68 | 69 | connection = engine.connect() 70 | context.configure( 71 | connection=connection, 72 | target_metadata=target_metadata, 73 | version_table=FWAAS_VERSION_TABLE 74 | ) 75 | try: 76 | with context.begin_transaction(): 77 | context.run_migrations() 78 | finally: 79 | connection.close() 80 | engine.dispose() 81 | 82 | 83 | if context.is_offline_mode(): 84 | run_migrations_offline() 85 | else: 86 | run_migrations_online() 87 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/script.py.mako: -------------------------------------------------------------------------------- 1 | # Copyright ${create_date.year} 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """${message} 17 | 18 | Revision ID: ${up_revision} 19 | Revises: ${down_revision} 20 | Create Date: ${create_date} 21 | 22 | """ 23 | 24 | # revision identifiers, used by Alembic. 25 | revision = ${repr(up_revision)} 26 | down_revision = ${repr(down_revision)} 27 | % if branch_labels: 28 | branch_labels = ${repr(branch_labels)} 29 | %endif 30 | 31 | from alembic import op 32 | import sqlalchemy as sa 33 | ${imports if imports else ""} 34 | 35 | def upgrade(): 36 | ${upgrades if upgrades else "pass"} 37 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/2023.2/expand/6941ce70131e_add_standard_attr_id.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 EasyStack Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """add standard attributes 17 | 18 | Revision ID: 6941ce70131e 19 | Revises: f24e0d5e5bff 20 | Create Date: 2022-12-01 04:19:57.324584 21 | 22 | """ 23 | 24 | from alembic import op 25 | import sqlalchemy as sa 26 | 27 | # revision identifiers, used by Alembic. 28 | revision = '6941ce70131e' 29 | down_revision = 'f24e0d5e5bff' 30 | tables = ['firewall_groups_v2', 'firewall_rules_v2', 'firewall_policies_v2'] 31 | 32 | 33 | standardattrs = sa.Table( 34 | 'standardattributes', sa.MetaData(), 35 | sa.Column('id', sa.BigInteger(), primary_key=True, autoincrement=True), 36 | sa.Column('resource_type', sa.String(length=255), nullable=False), 37 | sa.Column('description', sa.String(length=255), nullable=True)) 38 | 39 | 40 | def generate_records_for_existing(table): 41 | model = sa.Table(table, sa.MetaData(), 42 | sa.Column('id', sa.String(length=36), nullable=False), 43 | sa.Column('description', sa.String(length=255), 44 | nullable=True), 45 | sa.Column('standard_attr_id', sa.BigInteger(), 46 | nullable=True)) 47 | session = sa.orm.Session(bind=op.get_bind()) 48 | for row in session.query(model): 49 | res = session.execute( 50 | standardattrs.insert().values(resource_type=table, 51 | description=row[1]) 52 | ) 53 | session.execute( 54 | model.update().values( 55 | standard_attr_id=res.inserted_primary_key[0]).where( 56 | model.c.id == row[0]) 57 | ) 58 | session.commit() 59 | 60 | 61 | def upgrade(): 62 | for table in tables: 63 | op.add_column(table, sa.Column('standard_attr_id', sa.BigInteger(), 64 | nullable=True)) 65 | op.create_foreign_key( 66 | constraint_name=None, source_table=table, 67 | referent_table='standardattributes', 68 | local_cols=['standard_attr_id'], remote_cols=['id'], 69 | ondelete='CASCADE') 70 | generate_records_for_existing(table) 71 | op.alter_column(table, 'standard_attr_id', nullable=False, 72 | existing_type=sa.BigInteger(), existing_nullable=True, 73 | existing_server_default=False) 74 | op.create_unique_constraint( 75 | constraint_name='uniq_%s0standard_attr_id' % table, 76 | table_name=table, columns=['standard_attr_id']) 77 | op.drop_column(table, 'description') 78 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/2025.1/contract/1007f519ea46_drop_v1.py: -------------------------------------------------------------------------------- 1 | # Copyright 2025 NTT DATA Group 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """Drop v1 17 | 18 | Revision ID: 1007f519ea46 19 | Revises: fd38cd995cc0 20 | Create Date: 2025-03-02 14:06:28.794129 21 | 22 | """ 23 | 24 | from alembic import op 25 | 26 | # revision identifiers, used by Alembic. 27 | revision = '1007f519ea46' 28 | down_revision = 'fd38cd995cc0' 29 | 30 | 31 | def upgrade(): 32 | table_names = [ 33 | 'cisco_firewall_associations', 34 | 'firewall_router_associations', 35 | 'firewall_rules', 36 | 'firewalls', 37 | 'firewall_policies', 38 | ] 39 | for table_name in table_names: 40 | op.drop_table(table_name) 41 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/2025.1/expand/2a0d33e9ef63_add_pk_firewall_group_associations_v2.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Canonical Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """add pk firewall_group_associations_v2 17 | 18 | Revision ID: 2a0d33e9ef63 19 | Revises: 6941ce70131e 20 | Create Date: 2025-01-20 18:00:00.000000 21 | 22 | """ 23 | 24 | from alembic import op 25 | from sqlalchemy.engine import reflection 26 | 27 | from oslo_log import log as logging 28 | 29 | 30 | # revision identifiers, used by Alembic. 31 | revision = '2a0d33e9ef63' 32 | down_revision = '6941ce70131e' 33 | 34 | LOG = logging.getLogger(__name__) 35 | 36 | 37 | def upgrade(): 38 | bind = op.get_bind() 39 | insp = reflection.Inspector.from_engine(bind.engine) 40 | if 'firewall_group_port_associations_v2' not in insp.get_table_names(): 41 | return 42 | pk = insp.get_pk_constraint('firewall_group_port_associations_v2') 43 | if not pk['constrained_columns']: 44 | op.create_primary_key( 45 | 'pk_firewall_group_port_associations_v2', 46 | 'firewall_group_port_associations_v2', 47 | ['firewall_group_id', 'port_id']) 48 | else: 49 | # Revision '6941ce70131e' has been updated to create the 50 | # missing PK. Depending whether the env is already deployed or 51 | # not we may or not have to add the primary key. 52 | LOG.info("The primary key in firewall_group_port_associations_v2 " 53 | "already exists, continuing.") 54 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/4202e3047e47_add_index_tenant_id.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 OpenStack Foundation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """add_index_tenant_id 17 | 18 | Revision ID: 4202e3047e47 19 | Revises: start_neutron_fwaas 20 | Create Date: 2015-02-10 17:17:47.846764 21 | 22 | """ 23 | from alembic import op 24 | 25 | # revision identifiers, used by Alembic. 26 | revision = '4202e3047e47' 27 | down_revision = 'start_neutron_fwaas' 28 | 29 | TABLES = ['firewall_rules', 'firewalls', 'firewall_policies'] 30 | 31 | 32 | def upgrade(): 33 | for table in TABLES: 34 | op.create_index(op.f('ix_%s_tenant_id' % table), 35 | table, ['tenant_id'], unique=False) 36 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/540142f314f4_fwaas_router_insertion.py: -------------------------------------------------------------------------------- 1 | # Copyright 2014 OpenStack Foundation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """FWaaS router insertion 17 | 18 | Revision ID: 540142f314f4 19 | Revises: 4202e3047e47 20 | Create Date: 2015-02-06 17:02:24.279337 21 | 22 | """ 23 | 24 | from alembic import op 25 | import sqlalchemy as sa 26 | from sqlalchemy.engine import reflection 27 | 28 | # revision identifiers, used by Alembic. 29 | revision = '540142f314f4' 30 | down_revision = '4202e3047e47' 31 | 32 | SQL_STATEMENT = ( 33 | "insert into firewall_router_associations " 34 | "select " 35 | "f.id as fw_id, r.id as router_id " 36 | "from firewalls f, routers r " 37 | "where " 38 | "f.tenant_id=r.%s" 39 | ) 40 | 41 | 42 | def upgrade(): 43 | op.create_table('firewall_router_associations', 44 | sa.Column('fw_id', sa.String(length=36), nullable=False), 45 | sa.Column('router_id', sa.String( 46 | length=36), nullable=False), 47 | sa.ForeignKeyConstraint(['fw_id'], ['firewalls.id'], 48 | ondelete='CASCADE'), 49 | sa.ForeignKeyConstraint(['router_id'], ['routers.id'], 50 | ondelete='CASCADE'), 51 | sa.PrimaryKeyConstraint('fw_id', 'router_id'), 52 | ) 53 | 54 | # Depending on when neutron-fwaas is installed with neutron, this script 55 | # may be run before or after the neutron core tables have had their 56 | # tenant_id columns renamed to project_id. Account for both scenarios. 57 | bind = op.get_bind() 58 | insp = reflection.Inspector.from_engine(bind) 59 | columns = insp.get_columns('routers') 60 | if 'tenant_id' in [c['name'] for c in columns]: 61 | op.execute(SQL_STATEMENT % 'tenant_id') 62 | else: 63 | op.execute(SQL_STATEMENT % 'project_id') 64 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/796c68dffbb_cisco_csr_fwaas.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 OpenStack Foundation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """cisco_csr_fwaas 17 | 18 | Revision ID: 796c68dffbb 19 | Revises: 540142f314f4 20 | Create Date: 2015-02-02 13:11:55.184112 21 | 22 | """ 23 | 24 | from alembic import op 25 | import sqlalchemy as sa 26 | 27 | # revision identifiers, used by Alembic. 28 | revision = '796c68dffbb' 29 | down_revision = '540142f314f4' 30 | 31 | 32 | def upgrade(active_plugins=None, options=None): 33 | 34 | op.create_table('cisco_firewall_associations', 35 | sa.Column('fw_id', sa.String(length=36), nullable=False), 36 | sa.Column('port_id', sa.String(length=36), nullable=True), 37 | sa.Column('direction', sa.String( 38 | length=16), nullable=True), 39 | sa.Column('acl_id', sa.String(length=36), nullable=True), 40 | sa.Column('router_id', sa.String( 41 | length=36), nullable=True), 42 | sa.ForeignKeyConstraint(['fw_id'], ['firewalls.id'], 43 | ondelete='CASCADE'), 44 | sa.ForeignKeyConstraint(['port_id'], ['ports.id'], 45 | ondelete='CASCADE'), 46 | sa.PrimaryKeyConstraint('fw_id') 47 | ) 48 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/CONTRACT_HEAD: -------------------------------------------------------------------------------- 1 | 1007f519ea46 2 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/EXPAND_HEAD: -------------------------------------------------------------------------------- 1 | 2a0d33e9ef63 2 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/kilo_release.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 2 | # not use this file except in compliance with the License. You may obtain 3 | # a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 | # License for the specific language governing permissions and limitations 11 | # under the License. 12 | # 13 | 14 | """kilo 15 | 16 | Revision ID: kilo 17 | Revises: 796c68dffbb 18 | Create Date: 2015-04-16 00:00:00.000000 19 | 20 | """ 21 | 22 | # revision identifiers, used by Alembic. 23 | revision = 'kilo' 24 | down_revision = '796c68dffbb' 25 | 26 | 27 | def upgrade(): 28 | """A no-op migration for marking the Kilo release.""" 29 | pass 30 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/liberty/contract/67c8e8d61d5_initial.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 Red Hat Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """Initial Liberty no-op script. 17 | 18 | Revision ID: 67c8e8d61d5 19 | Revises: kilo 20 | Create Date: 2015-07-28 22:18:13.330846 21 | 22 | """ 23 | 24 | from neutron.db import migration 25 | from neutron_lib.db import constants 26 | 27 | 28 | # revision identifiers, used by Alembic. 29 | revision = '67c8e8d61d5' 30 | down_revision = 'kilo' 31 | branch_labels = (constants.CONTRACT_BRANCH,) 32 | 33 | # milestone identifier, used by neutron-db-manage 34 | neutron_milestone = [migration.LIBERTY] 35 | 36 | 37 | def upgrade(): 38 | pass 39 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/liberty/expand/4b47ea298795_add_reject_rule.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 NEC Corporation. All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | """add reject rule 16 | 17 | Revision ID: 4b47ea298795 18 | Revises: c40fbb377ad 19 | Create Date: 2015-04-15 04:19:57.324584 20 | 21 | """ 22 | 23 | from alembic import op 24 | from neutron.db import migration 25 | import sqlalchemy as sa 26 | 27 | 28 | # revision identifiers, used by Alembic. 29 | revision = '4b47ea298795' 30 | down_revision = 'c40fbb377ad' 31 | 32 | # milestone identifier, used by neutron-db-manage 33 | neutron_milestone = [migration.LIBERTY, migration.MITAKA] 34 | 35 | 36 | new_action = sa.Enum('allow', 'deny', 'reject', name='firewallrules_action') 37 | 38 | 39 | def upgrade(): 40 | op.alter_column('firewall_rules', 'action', type_=new_action, 41 | nullable=True) 42 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/liberty/expand/c40fbb377ad_initial.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 Red Hat Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """Initial Liberty no-op script. 17 | 18 | Revision ID: c40fbb377ad 19 | Revises: kilo 20 | Create Date: 2015-07-28 22:18:13.321233 21 | 22 | """ 23 | 24 | from neutron_lib.db import constants 25 | 26 | 27 | # revision identifiers, used by Alembic. 28 | revision = 'c40fbb377ad' 29 | down_revision = 'kilo' 30 | branch_labels = (constants.EXPAND_BRANCH,) 31 | 32 | 33 | def upgrade(): 34 | pass 35 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/mitaka/contract/458aa42b14b_fw_table_alter.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 OpenStack Foundation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """fw_table_alter script to make column case sensitive 17 | 18 | Revision ID: 458aa42b14b 19 | Revises: 67c8e8d61d5 20 | Create Date: 2015-09-16 11:47:43.061649 21 | 22 | """ 23 | 24 | from alembic import op 25 | 26 | from neutron.db import migration 27 | 28 | 29 | # revision identifiers, used by Alembic. 30 | revision = '458aa42b14b' 31 | down_revision = '67c8e8d61d5' 32 | 33 | # milestone identifier, used by neutron-db-manage 34 | neutron_milestone = [migration.MITAKA] 35 | 36 | 37 | FW_TAB_NAME = ['firewall_rules', 'firewall_policies', 'firewalls'] 38 | SQL_STATEMENT_UPDATE_CMD = ( 39 | "alter table %s " 40 | "modify name varchar(255) " 41 | "CHARACTER SET utf8 COLLATE utf8_bin" 42 | ) 43 | 44 | 45 | def upgrade(): 46 | context = op.get_context() 47 | if context.bind.dialect.name == 'mysql': 48 | for table in FW_TAB_NAME: 49 | op.execute(SQL_STATEMENT_UPDATE_CMD % table) 50 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/pike/contract/fd38cd995cc0_shared_attribute_for_firewall_resources.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 2 | # not use this file except in compliance with the License. You may obtain 3 | # a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 | # License for the specific language governing permissions and limitations 11 | # under the License. 12 | # 13 | 14 | """change shared attribute for firewall resource 15 | 16 | Revision ID: fd38cd995cc0 17 | Revises: f83a0b2964d0 18 | Create Date: 2017-03-31 14:22:21.063392 19 | 20 | """ 21 | 22 | from alembic import op 23 | import sqlalchemy as sa 24 | 25 | # revision identifiers, used by Alembic. 26 | revision = 'fd38cd995cc0' 27 | down_revision = 'f83a0b2964d0' 28 | depends_on = ('d6a12e637e28',) 29 | 30 | 31 | def upgrade(): 32 | op.alter_column('firewall_rules_v2', 'public', new_column_name='shared', 33 | existing_type=sa.Boolean) 34 | op.alter_column('firewall_groups_v2', 'public', new_column_name='shared', 35 | existing_type=sa.Boolean) 36 | op.alter_column('firewall_policies_v2', 'public', new_column_name='shared', 37 | existing_type=sa.Boolean) 38 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/queens/expand/876782258a43_create_default_firewall_groups_table.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 FUJITSU LIMITED 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """create_default_firewall_groups_table 17 | 18 | Revision ID: 876782258a43 19 | Revises: d6a12e637e28 20 | Create Date: 2017-01-26 23:47:42.795504 21 | 22 | """ 23 | 24 | from alembic import op 25 | from neutron_lib.db import constants as db_constants 26 | from neutron_lib import exceptions 27 | import sqlalchemy as sa 28 | 29 | from neutron_fwaas._i18n import _ 30 | from neutron_fwaas.common import fwaas_constants as const 31 | from neutron_fwaas.common import resources 32 | 33 | # revision identifiers, used by Alembic. 34 | revision = '876782258a43' 35 | down_revision = 'd6a12e637e28' 36 | 37 | 38 | class DuplicateDefaultFirewallGroup(exceptions.Conflict): 39 | message = _("Duplicate Firewall group found named '%s'. " 40 | "Database cannot be upgraded. Please, remove all duplicates " 41 | "before upgrading the database.") % const.DEFAULT_FWG 42 | 43 | 44 | def upgrade(): 45 | op.create_table( 46 | 'default_firewall_groups', 47 | sa.Column('project_id', 48 | sa.String(length=db_constants.PROJECT_ID_FIELD_SIZE), 49 | nullable=False), 50 | sa.Column('firewall_group_id', 51 | sa.String(length=db_constants.UUID_FIELD_SIZE), 52 | nullable=False), 53 | sa.PrimaryKeyConstraint('project_id'), 54 | sa.ForeignKeyConstraint(['firewall_group_id'], 55 | ['firewall_groups_v2.id'], ondelete="CASCADE")) 56 | 57 | 58 | def check_sanity(connection): 59 | # check for already existing firewall groups with name == DEFAULT_FWG 60 | insp = sa.engine.reflection.Inspector.from_engine(connection) 61 | if 'firewall_groups_v2' not in insp.get_table_names(): 62 | return [] 63 | session = sa.orm.Session(bind=connection) 64 | default_fwg = session.query(resources.FIREWALL_GROUP.name).filter( 65 | resources.FIREWALL_GROUP.name == const.DEFAULT_FWG).first() 66 | if default_fwg: 67 | raise DuplicateDefaultFirewallGroup() 68 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/queens/expand/f24e0d5e5bff_uniq_firewallgroupportassociation0port.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Fujitsu Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """uniq_firewallgroupportassociation0port 17 | 18 | Revision ID: f24e0d5e5bff 19 | Revises: 876782258a43 20 | Create Date: 2017-11-08 15:55:40.990272 21 | 22 | """ 23 | 24 | from alembic import op 25 | from neutron_lib import exceptions 26 | import sqlalchemy as sa 27 | 28 | from neutron._i18n import _ 29 | 30 | # revision identifiers, used by Alembic. 31 | revision = 'f24e0d5e5bff' 32 | down_revision = '876782258a43' 33 | 34 | 35 | fwg_port_association = sa.Table( 36 | 'firewall_group_port_associations_v2', sa.MetaData(), 37 | sa.Column('firewall_group_id', sa.String(36)), 38 | sa.Column('port_id', sa.String(36))) 39 | 40 | 41 | class DuplicatePortRecordinFirewallGroupPortAssociation(exceptions.Conflict): 42 | message = _("Duplicate port(s) %(port_id)s records exist in" 43 | "firewall_group_port_associations_v2 table. Database cannot" 44 | "be upgraded. Please remove all duplicated records before" 45 | "upgrading the database.") 46 | 47 | 48 | def upgrade(): 49 | op.create_unique_constraint( 50 | 'uniq_firewallgroupportassociation0port_id', 51 | 'firewall_group_port_associations_v2', 52 | ['port_id']) 53 | 54 | 55 | def check_sanity(connection): 56 | duplicated_port_ids = ( 57 | get_duplicate_port_records_in_fwg_port_association(connection)) 58 | if duplicated_port_ids: 59 | raise DuplicatePortRecordinFirewallGroupPortAssociation( 60 | port_id=",".join(duplicated_port_ids)) 61 | 62 | 63 | def get_duplicate_port_records_in_fwg_port_association(connection): 64 | insp = sa.engine.reflection.Inspector.from_engine(connection) 65 | if 'firewall_group_port_associations_v2' not in insp.get_table_names(): 66 | return [] 67 | session = sa.orm.Session(bind=connection) 68 | query = (session.query(fwg_port_association.c.port_id) 69 | .group_by(fwg_port_association.c.port_id) 70 | .having(sa.func.count() > 1)).all() 71 | return [q[0] for q in query] 72 | -------------------------------------------------------------------------------- /neutron_fwaas/db/migration/alembic_migrations/versions/start_neutron_fwaas.py: -------------------------------------------------------------------------------- 1 | # Copyright 2014 OpenStack Foundation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | # 15 | 16 | """start neutron-fwaas chain 17 | 18 | Revision ID: start_neutron_fwaas 19 | Revises: None 20 | Create Date: 2014-12-09 18:42:08.262632 21 | 22 | """ 23 | 24 | # revision identifiers, used by Alembic. 25 | revision = 'start_neutron_fwaas' 26 | down_revision = None 27 | 28 | 29 | def upgrade(): 30 | pass 31 | -------------------------------------------------------------------------------- /neutron_fwaas/db/models/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/db/models/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/db/models/head.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); 2 | # you may not use this file except in compliance with the License. 3 | # You may obtain a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, 9 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 | # See the License for the specific language governing permissions and 11 | # limitations under the License. 12 | 13 | from neutron_lib.db import model_base 14 | 15 | 16 | def get_metadata(): 17 | return model_base.BASEV2.metadata 18 | -------------------------------------------------------------------------------- /neutron_fwaas/extensions/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/extensions/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/extensions/firewall_v2_stdattrs.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 EasyStack Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from neutron_lib.api.definitions import firewall_v2_stdattrs as apidef 16 | from neutron_lib.api import extensions 17 | 18 | 19 | class Standard_attr_fwaas(extensions.APIExtensionDescriptor): 20 | api_definition = apidef 21 | -------------------------------------------------------------------------------- /neutron_fwaas/opts.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 2 | # not use this file except in compliance with the License. You may obtain 3 | # a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 | # License for the specific language governing permissions and limitations 11 | # under the License. 12 | 13 | import neutron.conf.services.provider_configuration 14 | 15 | import neutron_fwaas.services.firewall.service_drivers.agents.\ 16 | firewall_agent_api 17 | import neutron_fwaas.extensions.firewall_v2 18 | 19 | 20 | def list_agent_opts(): 21 | return [ 22 | ('fwaas', 23 | neutron_fwaas.services.firewall.service_drivers.agents. 24 | firewall_agent_api.FWaaSOpts), 25 | ] 26 | 27 | 28 | def list_opts(): 29 | return [ 30 | ('quotas', 31 | neutron_fwaas.extensions.firewall_v2.firewall_quota_opts), 32 | ('service_providers', 33 | neutron.conf.services.provider_configuration.serviceprovider_opts), 34 | ('default_fwg_rules', 35 | neutron_fwaas.extensions.firewall_v2.default_fwg_rules_opts), 36 | ] 37 | -------------------------------------------------------------------------------- /neutron_fwaas/policies/__init__.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 2 | # not use this file except in compliance with the License. You may obtain 3 | # a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 | # License for the specific language governing permissions and limitations 11 | # under the License. 12 | 13 | import itertools 14 | 15 | from neutron_fwaas.policies import firewall_group 16 | from neutron_fwaas.policies import firewall_policy 17 | from neutron_fwaas.policies import firewall_rule 18 | 19 | 20 | def list_rules(): 21 | return itertools.chain( 22 | firewall_group.list_rules(), 23 | firewall_policy.list_rules(), 24 | firewall_rule.list_rules(), 25 | ) 26 | -------------------------------------------------------------------------------- /neutron_fwaas/privileged/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Thales Services SAS 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from oslo_privsep import capabilities as c 17 | from oslo_privsep import priv_context 18 | 19 | # It is expected that most (if not all) neutron-fwaas operations can be 20 | # executed with these privileges. 21 | default = priv_context.PrivContext( 22 | __name__, 23 | cfg_section='privsep', 24 | pypath=__name__ + '.default', 25 | # TODO(gus): CAP_SYS_ADMIN is required (only?) for manipulating 26 | # network namespaces. SYS_ADMIN is a lot of scary powers, so 27 | # consider breaking this out into a separate minimal context. 28 | capabilities=[c.CAP_SYS_ADMIN, c.CAP_NET_ADMIN], 29 | ) 30 | -------------------------------------------------------------------------------- /neutron_fwaas/privileged/netfilter_log/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/privileged/netfilter_log/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/privileged/netlink_constants.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | # 16 | # Some parts are based on python-conntrack: 17 | # Copyright (c) 2009-2011,2015 Andrew Grigorev 18 | # 19 | # Permission is hereby granted, free of charge, to any person obtaining a copy 20 | # of this software and associated documentation files (the "Software"), to deal 21 | # in the Software without restriction, including without limitation the rights 22 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 23 | # copies of the Software, and to permit persons to whom the Software is 24 | # furnished to do so, subject to the following conditions: 25 | # 26 | # The above copyright notice and this permission notice shall be included in 27 | # all copies or substantial portions of the Software. 28 | # 29 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 30 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 31 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 32 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 33 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 34 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 35 | # THE SOFTWARE. 36 | # 37 | 38 | import socket 39 | 40 | 41 | CONNTRACK = 0 42 | 43 | NFCT_O_PLAIN = 0 44 | 45 | NFCT_OF_TIME_BIT = 1 46 | NFCT_OF_TIME = 1 << NFCT_OF_TIME_BIT 47 | 48 | NFCT_Q_DESTROY = 2 49 | NFCT_Q_FLUSH = 4 50 | NFCT_Q_DUMP = 5 51 | NFCT_T_DESTROY_BIT = 2 52 | NFCT_T_DESTROY = 1 << NFCT_T_DESTROY_BIT 53 | 54 | ATTR_IPV4_SRC = 0 55 | ATTR_IPV4_DST = 1 56 | ATTR_IPV6_SRC = 4 57 | ATTR_IPV6_DST = 5 58 | ATTR_PORT_SRC = 8 59 | ATTR_PORT_DST = 9 60 | ATTR_ICMP_TYPE = 12 61 | ATTR_ICMP_CODE = 13 62 | ATTR_ICMP_ID = 14 63 | ATTR_L3PROTO = 15 64 | ATTR_L4PROTO = 17 65 | 66 | NFCT_T_NEW_BIT = 0 67 | NFCT_T_NEW = 1 << NFCT_T_NEW_BIT 68 | NFCT_T_UPDATE_BIT = 1 69 | NFCT_T_UPDATE = 1 << NFCT_T_UPDATE_BIT 70 | NFCT_T_DESTROY_BIT = 2 71 | NFCT_T_DESTROY = 1 << NFCT_T_DESTROY_BIT 72 | 73 | NFCT_T_ALL = NFCT_T_NEW | NFCT_T_UPDATE | NFCT_T_DESTROY 74 | 75 | NFCT_CB_CONTINUE = 1 76 | NFCT_CB_FAILURE = -1 77 | 78 | NFNL_SUBSYS_CTNETLINK = 0 79 | 80 | BUFFER = 1024 81 | # IPv6 address memory buffer 82 | ADDR_BUFFER_6 = 16 83 | ADDR_BUFFER_4 = 4 84 | 85 | IPVERSION_SOCKET = {4: socket.AF_INET, 6: socket.AF_INET6} 86 | IPVERSION_BUFFER = {4: ADDR_BUFFER_4, 6: ADDR_BUFFER_6} 87 | -------------------------------------------------------------------------------- /neutron_fwaas/privileged/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/privileged/tests/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/privileged/tests/functional/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/privileged/tests/functional/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/privileged/tests/functional/dummy.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Thales Services SAS 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from oslo_utils import uuidutils 17 | from pyroute2 import netns as pynetns 18 | 19 | from neutron_fwaas import privileged 20 | 21 | 22 | # TODO(cby): move this method in neutron.tests.functional.privileged associated 23 | # to a new privsep context. 24 | @privileged.default.entrypoint 25 | def dummy(): 26 | """This method aim is to validate that we can use privsep in functests.""" 27 | namespace = 'dummy-%s' % uuidutils.generate_uuid() 28 | pynetns.create(namespace) 29 | pynetns.remove(namespace) 30 | -------------------------------------------------------------------------------- /neutron_fwaas/privileged/tests/functional/utils.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Thales Services SAS 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | import pyroute2 17 | 18 | from neutron_fwaas import privileged 19 | from neutron_fwaas.privileged import utils 20 | 21 | 22 | def _get_ifname(link): 23 | attr_dict = dict(link['attrs']) 24 | return attr_dict['IFLA_IFNAME'] 25 | 26 | 27 | def list_interface_names(): 28 | iproute = pyroute2.IPRoute() 29 | result = iproute.get_links() 30 | return [_get_ifname(link) for link in result] 31 | 32 | 33 | @privileged.default.entrypoint 34 | def get_in_namespace_interfaces(namespace): 35 | before = list_interface_names() 36 | with utils.in_namespace(namespace): 37 | inside = list_interface_names() 38 | after = list_interface_names() 39 | return before, inside, after 40 | -------------------------------------------------------------------------------- /neutron_fwaas/privileged/utils.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Thales Services SAS 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | import contextlib 17 | import os 18 | 19 | from oslo_log import log as logging 20 | from pyroute2 import netns as pynetns 21 | 22 | from neutron_fwaas._i18n import _ 23 | 24 | 25 | PROCESS_NETNS = '/proc/self/ns/net' 26 | 27 | LOG = logging.getLogger(__name__) 28 | 29 | 30 | class BackInNamespaceExit(SystemExit): 31 | """Raised if we fail to moved back process in its original namespace.""" 32 | 33 | 34 | @contextlib.contextmanager 35 | def in_namespace(namespace): 36 | """Move current process in a specific namespace. 37 | 38 | This contextmanager moves current process in a specific namespace and 39 | ensures to move it back in original namespace or kills it if we fail to 40 | move back in original namespace. 41 | """ 42 | if not namespace: 43 | yield 44 | return 45 | 46 | org_netns_fd = os.open(PROCESS_NETNS, os.O_RDONLY) 47 | pynetns.setns(namespace) 48 | try: 49 | yield 50 | finally: 51 | try: 52 | # NOTE(cby): this code is not executed only if we fail to 53 | # move in target namespace 54 | pynetns.setns(org_netns_fd) 55 | except Exception as e: 56 | msg = _('Failed to move back in original netns: %s') % e 57 | LOG.critical(msg) 58 | raise BackInNamespaceExit(msg) 59 | -------------------------------------------------------------------------------- /neutron_fwaas/services/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/agents/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/agents/drivers/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/conntrack_base.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | import abc 17 | 18 | 19 | from neutron_lib.utils import runtime 20 | from oslo_config import cfg 21 | from oslo_log import log as logging 22 | from oslo_utils import excutils 23 | 24 | LOG = logging.getLogger(__name__) 25 | 26 | 27 | def load_and_init_conntrack_driver(*args, **kwargs): 28 | driver = cfg.CONF.fwaas.conntrack_driver 29 | try: 30 | conntrack_driver_cls = runtime.load_class_by_alias_or_classname( 31 | 'neutron.agent.l3.firewall_drivers', driver) 32 | except ImportError: 33 | with excutils.save_and_reraise_exception(): 34 | LOG.exception("Driver '%s' not found.", driver) 35 | conntrack_driver = conntrack_driver_cls() 36 | conntrack_driver.initialize(*args, **kwargs) 37 | return conntrack_driver 38 | 39 | 40 | class ConntrackDriverBase(metaclass=abc.ABCMeta): 41 | """Base Driver for Conntrack""" 42 | 43 | @abc.abstractmethod 44 | def initialize(self, *args, **kwargs): 45 | """Initialize the driver""" 46 | 47 | @abc.abstractmethod 48 | def delete_entries(self, rules, namespace): 49 | """Delete conntrack entries specified by list of rules""" 50 | 51 | @abc.abstractmethod 52 | def flush_entries(self, namespace): 53 | """Delete all conntrack entries within namespace""" 54 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/fwaas_base_v2.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2016 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | import abc 17 | 18 | 19 | class FwaasDriverBase(metaclass=abc.ABCMeta): 20 | """Firewall as a Service Driver base class. 21 | 22 | Using FwaasDriver Class, an instance of L3 perimeter Firewall 23 | can be created. The firewall co-exists with the L3 agent. 24 | 25 | One instance is created for each tenant. One firewall policy 26 | is associated with each tenant (in the Havana release). 27 | 28 | The Firewall can be visualized as having two zones (in Havana 29 | release), trusted and untrusted. 30 | 31 | All the 'internal' interfaces of Neutron Router is treated as trusted. The 32 | interface connected to 'external network' is treated as untrusted. 33 | 34 | The policy is applied on traffic ingressing/egressing interfaces on 35 | the trusted zone. This implies that policy will be applied for traffic 36 | passing from 37 | 38 | - trusted to untrusted zones 39 | - untrusted to trusted zones 40 | - trusted to trusted zones 41 | 42 | Policy WILL NOT be applied for traffic from untrusted to untrusted zones. 43 | This is not a problem in Havana release as there is only one interface 44 | connected to external network. 45 | 46 | Since the policy is applied on the internal interfaces, the traffic 47 | will be not be NATed to floating IP. For incoming traffic, the 48 | traffic will get NATed to internal IP address before it hits 49 | the firewall rules. So, while writing the rules, care should be 50 | taken if using rules based on floating IP. 51 | 52 | The firewall rule addition/deletion/insertion/update are done by the 53 | management console. When the policy is sent to the driver, the complete 54 | policy is sent and the whole policy has to be applied atomically. The 55 | firewall rules will not get updated individually. This is to avoid problems 56 | related to out-of-order notifications or inconsistent behaviour by partial 57 | application of rules. Argument agent_mode indicates the l3 agent in DVR or 58 | DVR_SNAT or LEGACY mode. 59 | """ 60 | @abc.abstractmethod 61 | def create_firewall_group(self, agent_mode, apply_list, firewall): 62 | """Create the Firewall with default (drop all) policy. 63 | 64 | The default policy will be applied on all the interfaces of 65 | trusted zone. 66 | """ 67 | pass 68 | 69 | @abc.abstractmethod 70 | def delete_firewall_group(self, agent_mode, apply_list, firewall): 71 | """Delete firewall. 72 | 73 | Removes all policies created by this instance and frees up 74 | all the resources. 75 | """ 76 | pass 77 | 78 | @abc.abstractmethod 79 | def update_firewall_group(self, agent_mode, apply_list, firewall): 80 | """Apply the policy on all trusted interfaces. 81 | 82 | Remove previous policy and apply the new policy on all trusted 83 | interfaces. 84 | """ 85 | pass 86 | 87 | @abc.abstractmethod 88 | def apply_default_policy(self, agent_mode, apply_list, firewall): 89 | """Apply the default policy on all trusted interfaces. 90 | 91 | Remove current policy and apply the default policy on all trusted 92 | interfaces. 93 | """ 94 | pass 95 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/driver_base.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2017 Fujitsu Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import abc 16 | import contextlib 17 | 18 | 19 | class FirewallL2DriverBase(metaclass=abc.ABCMeta): 20 | """Abstract firewall L2 driver base""" 21 | 22 | def __init__(self, integration_bridge, sg_enabled=False): 23 | pass 24 | 25 | def filter_defer_apply_on(self): 26 | """Defer application of filtering rule.""" 27 | pass 28 | 29 | def filter_defer_apply_off(self): 30 | """Turn off deferral of rules and apply the rules now.""" 31 | pass 32 | 33 | @property 34 | def ports(self): 35 | """Returns filtered ports.""" 36 | pass 37 | 38 | @contextlib.contextmanager 39 | def defer_apply(self): 40 | """Defer apply context.""" 41 | self.filter_defer_apply_on() 42 | try: 43 | yield 44 | finally: 45 | self.filter_defer_apply_off() 46 | 47 | def create_firewall_group(self, ports, firewall_group): 48 | """Called when a firewall group is created. 49 | """ 50 | raise NotImplementedError() 51 | 52 | def update_firewall_group(self, ports, firewall_group): 53 | """Called when a firewall group is updated. 54 | """ 55 | raise NotImplementedError() 56 | 57 | def delete_firewall_group(self, ports, firewall_group): 58 | """Called when a firewall group is deleted. 59 | """ 60 | raise NotImplementedError() 61 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/noop/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/noop/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/noop/noop_driver.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2017 Fujitsu Limited 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from oslo_log import helpers as log_helpers 16 | 17 | from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2\ 18 | import driver_base 19 | 20 | 21 | class NoopFirewallL2Driver(driver_base.FirewallL2DriverBase): 22 | 23 | @log_helpers.log_method_call 24 | def create_firewall_group(self, ports, firewall_group): 25 | pass 26 | 27 | @log_helpers.log_method_call 28 | def update_firewall_group(self, ports, firewall_group): 29 | pass 30 | 31 | @log_helpers.log_method_call 32 | def delete_firewall_group(self, ports, firewall_group): 33 | pass 34 | 35 | @log_helpers.log_method_call 36 | def process_trusted_ports(self, ports): 37 | pass 38 | 39 | @log_helpers.log_method_call 40 | def remove_trusted_ports(self, port_ids): 41 | pass 42 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\ 17 | openvswitch_firewall import firewall 18 | 19 | OVSFirewallDriver = firewall.OVSFirewallDriver 20 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron_lib import constants 17 | 18 | 19 | OF_STATE_NOT_TRACKED = "-trk" 20 | OF_STATE_TRACKED = "+trk" 21 | OF_STATE_NEW_NOT_ESTABLISHED = "+new-est" 22 | OF_STATE_NOT_ESTABLISHED = "-est" 23 | OF_STATE_ESTABLISHED = "+est" 24 | OF_STATE_ESTABLISHED_NOT_REPLY = "+est-rel-rpl" 25 | OF_STATE_ESTABLISHED_REPLY = "+est-rel+rpl" 26 | OF_STATE_RELATED = "-new-est+rel-inv" 27 | OF_STATE_INVALID = "+trk+inv" 28 | OF_STATE_NEW = "+new" 29 | OF_STATE_NOT_REPLY_NOT_NEW = "-new-rpl" 30 | 31 | CT_MARK_NORMAL = '0x0' 32 | CT_MARK_INVALID = '0x1' 33 | 34 | REG_PORT = 5 35 | REG_NET = 6 36 | 37 | FW_BASE_EGRESS_TABLE = 64 38 | FW_RULES_EGRESS_TABLE = 65 39 | FW_ACCEPT_OR_INGRESS_TABLE = 66 40 | FW_BASE_INGRESS_TABLE = 68 41 | FW_RULES_INGRESS_TABLE = 69 42 | 43 | OVS_FIREWALL_TABLES = ( 44 | FW_BASE_EGRESS_TABLE, 45 | FW_RULES_EGRESS_TABLE, 46 | FW_ACCEPT_OR_INGRESS_TABLE, 47 | FW_BASE_INGRESS_TABLE, 48 | FW_RULES_INGRESS_TABLE, 49 | ) 50 | 51 | PROTOCOLS_WITH_PORTS = (constants.PROTO_NAME_SCTP, 52 | constants.PROTO_NAME_TCP, 53 | constants.PROTO_NAME_UDP) 54 | 55 | # Only map protocols that need special handling 56 | REVERSE_IP_PROTOCOL_MAP_WITH_PORTS = { 57 | constants.IP_PROTOCOL_MAP[proto]: proto for proto in 58 | PROTOCOLS_WITH_PORTS} 59 | 60 | ethertype_to_dl_type_map = { 61 | constants.IPv4: constants.ETHERTYPE_IP, 62 | constants.IPv6: constants.ETHERTYPE_IPV6, 63 | } 64 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright 2016, Red Hat, Inc. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron_lib import exceptions 17 | 18 | from neutron_fwaas._i18n import _ 19 | 20 | 21 | class OVSFWaaSPortNotFound(exceptions.NeutronException): 22 | message = _("Port %(port_id)s is not managed by this agent.") 23 | 24 | 25 | class OVSFWaaSTagNotFound(exceptions.NeutronException): 26 | message = _("Cannot get vlan tag for port %(port_id)s.") 27 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/firewall_agent_api.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2013 OpenStack Foundation 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron_lib import rpc as n_rpc 17 | from oslo_config import cfg 18 | import oslo_messaging 19 | 20 | from neutron_fwaas._i18n import _ 21 | 22 | 23 | FWAAS_V1 = "v1" 24 | FWAAS_V2 = "v2" 25 | FW_L2_NOOP_DRIVER = 'noop' 26 | 27 | FWaaSOpts = [ 28 | cfg.StrOpt( 29 | 'driver', 30 | default='', 31 | help=_("Name of the FWaaS Driver")), 32 | cfg.BoolOpt( 33 | 'enabled', 34 | default=False, 35 | help=_("Enable FWaaS")), 36 | cfg.StrOpt( 37 | 'agent_version', 38 | default=FWAAS_V2, 39 | help=_("Firewall agent class")), 40 | cfg.StrOpt( 41 | 'conntrack_driver', 42 | default='conntrack', 43 | help=_("Name of the FWaaS Conntrack Driver")), 44 | cfg.StrOpt( 45 | 'firewall_l2_driver', 46 | default=FW_L2_NOOP_DRIVER, 47 | help=_("Name of the firewall l2 driver") 48 | ) 49 | ] 50 | cfg.CONF.register_opts(FWaaSOpts, 'fwaas') 51 | 52 | 53 | class FWaaSPluginApiMixin: 54 | """Agent side of the FWaaS agent to FWaaS Plugin RPC API.""" 55 | 56 | def __init__(self, topic, host): 57 | # NOTE(annp): Mixin class should call super 58 | super().__init__() 59 | 60 | self.host = host 61 | target = oslo_messaging.Target(topic=topic, version='1.0') 62 | self.client = n_rpc.get_client(target) 63 | 64 | def set_firewall_status(self, context, firewall_id, status): 65 | """Make a RPC to set the status of a firewall.""" 66 | cctxt = self.client.prepare() 67 | return cctxt.call(context, 'set_firewall_status', host=self.host, 68 | firewall_id=firewall_id, status=status) 69 | 70 | def firewall_deleted(self, context, firewall_id): 71 | """Make a RPC to indicate that the firewall resources are deleted.""" 72 | cctxt = self.client.prepare() 73 | return cctxt.call(context, 'firewall_deleted', host=self.host, 74 | firewall_id=firewall_id) 75 | 76 | 77 | class FWaaSAgentRpcCallbackMixin: 78 | """Mixin for FWaaS agent Implementations.""" 79 | 80 | def __init__(self, host): 81 | 82 | super().__init__(host) 83 | 84 | def create_firewall(self, context, firewall, host): 85 | """Handle RPC cast from plugin to create a firewall.""" 86 | pass 87 | 88 | def update_firewall(self, context, firewall, host): 89 | """Handle RPC cast from plugin to update a firewall.""" 90 | pass 91 | 92 | def delete_firewall(self, context, firewall, host): 93 | """Handle RPC cast from plugin to delete a firewall.""" 94 | pass 95 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/firewall_service.py: -------------------------------------------------------------------------------- 1 | # Copyright 2014 OpenStack Foundation. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.services import provider_configuration as provconf 17 | from oslo_config import cfg 18 | from oslo_log import log as logging 19 | from oslo_utils import importutils 20 | 21 | from neutron_fwaas._i18n import _ 22 | 23 | LOG = logging.getLogger(__name__) 24 | 25 | FIREWALL_DRIVERS = 'firewall_drivers' 26 | 27 | 28 | class FirewallService: 29 | """Firewall Service observer.""" 30 | 31 | def load_device_drivers(self): 32 | """Loads a single device driver for FWaaS.""" 33 | device_driver = provconf.get_provider_driver_class( 34 | cfg.CONF.fwaas.driver, FIREWALL_DRIVERS) 35 | try: 36 | driver = importutils.import_object(device_driver) 37 | LOG.debug('Loaded FWaaS device driver: %s', device_driver) 38 | return driver 39 | except ImportError: 40 | msg = _('Error importing FWaaS device driver: %s') 41 | raise ImportError(msg % device_driver) 42 | except ValueError: 43 | msg = _('Configuration error - no FWaaS device_driver specified') 44 | raise ValueError(msg) 45 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/l2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/agents/l2/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/agents/l3reference/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/agents/l3reference/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/ovn/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/firewall/service_drivers/ovn/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/ovn/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 EasyStack, Inc. 2 | # All rights reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron_lib import constants as const 17 | 18 | OVN_FWG_EXT_ID_KEY = 'neutron:firewall_group_id' 19 | OVN_FWR_EXT_ID_KEY = 'neutron:firewall_rule_id' 20 | ACL_ACTION_DROP = 'drop' 21 | ACL_ACTION_REJECT = 'reject' 22 | ACL_ACTION_ALLOW_STATELESS = 'allow-stateless' 23 | ACL_ACTION_ALLOW = 'allow' 24 | ACL_PRIORITY_INGRESS = 2000 25 | ACL_PRIORITY_EGRESS = 2000 26 | ACL_PRIORITY_DEFAULT = 1001 27 | OP_ADD = 'add' 28 | OP_DEL = 'del' 29 | OP_MOD = 'mod' 30 | DEFAULT_RULE = 'is_default' 31 | DEFAULT_RULE_ID = 'default_rule' 32 | 33 | # Drop acls of ipv4 or ipv6 with two directions, so number of 34 | # default acls is 4 35 | DEFAULT_ACL_NUM = 4 36 | 37 | # Group of transport protocols supported 38 | TRANSPORT_PROTOCOLS = (const.PROTO_NAME_TCP, 39 | const.PROTO_NAME_UDP, 40 | const.PROTO_NAME_SCTP) 41 | 42 | # Group of versions of the ICMP protocol supported 43 | ICMP_PROTOCOLS = (const.PROTO_NAME_ICMP, 44 | const.PROTO_NAME_IPV6_ICMP) 45 | -------------------------------------------------------------------------------- /neutron_fwaas/services/firewall/service_drivers/ovn/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 EasyStack, Inc. 2 | # All rights reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron._i18n import _ 17 | from neutron_lib import exceptions as n_exc 18 | 19 | 20 | class MechanismDriverNotFound(n_exc.NotFound): 21 | message = _("None of the supported mechanism drivers found: " 22 | "%(mechanism_drivers)s. Check your configuration.") 23 | 24 | 25 | class ProtocolNotSupported(n_exc.NeutronException): 26 | message = _('The protocol "%(protocol)s" is not supported. Valid ' 27 | 'protocols are: %(valid_protocols)s; or protocol ' 28 | 'numbers ranging from 0 to 255.') 29 | 30 | 31 | class OperatorNotSupported(n_exc.NeutronException): 32 | message = _('The operator "%(operator)s" is not supported. Valid ' 33 | 'operators are: %(valid_operators)s.') 34 | -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/logapi/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/agents/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/logapi/agents/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/agents/drivers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/logapi/agents/drivers/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/agents/drivers/iptables/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/logapi/agents/drivers/iptables/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/agents/drivers/iptables/driver.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.services.logapi.drivers import base 17 | from neutron.services.logapi.drivers import manager 18 | from neutron_lib.callbacks import resources 19 | from neutron_lib.services.logapi import constants as log_const 20 | from oslo_log import log as logging 21 | from oslo_utils import importutils 22 | 23 | from neutron_fwaas.common import fwaas_constants 24 | from neutron_fwaas.services.logapi.common import fwg_callback 25 | from neutron_fwaas.services.logapi.common import port_callback 26 | from neutron_fwaas.services.logapi import constants as fw_const 27 | from neutron_fwaas.services.logapi.rpc import log_server as rpc_server 28 | 29 | LOG = logging.getLogger(__name__) 30 | 31 | DRIVER = None 32 | 33 | SUPPORTED_LOGGING_TYPES = [fw_const.FIREWALL_GROUP] 34 | 35 | 36 | class IptablesLoggingDriver(base.DriverBase): 37 | 38 | @staticmethod 39 | def create(): 40 | return IptablesLoggingDriver( 41 | name='iptables', 42 | vif_types=[], 43 | vnic_types=[], 44 | supported_logging_types=SUPPORTED_LOGGING_TYPES, 45 | requires_rpc=True) 46 | 47 | 48 | def register(): 49 | """Register iptables-based logging driver for FWaaS.""" 50 | 51 | global DRIVER 52 | if not DRIVER: 53 | DRIVER = IptablesLoggingDriver.create() 54 | # Register RPC methods 55 | if DRIVER.requires_rpc: 56 | rpc_methods = [ 57 | {resources.PORT: rpc_server.get_fwg_log_info_for_port}, 58 | {log_const.LOG_RESOURCE: rpc_server. 59 | get_fwg_log_info_for_log_resources} 60 | ] 61 | DRIVER.register_rpc_methods(fw_const.FIREWALL_GROUP, rpc_methods) 62 | 63 | # Trigger fwg validator 64 | importutils.import_module('neutron_fwaas.services.logapi.fwg_validate') 65 | # Register resource callback handler 66 | manager.register( 67 | fwaas_constants.FIREWALL_GROUP, fwg_callback.FirewallGroupCallBack) 68 | # Register resource callback handler for Neutron ports 69 | manager.register(resources.PORT, port_callback.NeutronPortCallBack) 70 | 71 | LOG.debug('FWaaS L3 Logging driver based iptables registered') 72 | -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/agents/l3/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/logapi/agents/l3/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/agents/l3/fwg_log.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.services.logapi.agent.l3 import base 17 | from neutron.services.logapi.agent import log_extension as log_ext 18 | from neutron.services.logapi.rpc import agent as agent_rpc 19 | from neutron_lib.agent import l3_extension 20 | 21 | # TODO(annp) move to neutron-lib 22 | FIREWALL_LOG_DRIVER_NAME = 'fwaas_v2_log' 23 | 24 | 25 | class FWaaSL3LoggingExtension(base.L3LoggingExtensionBase, 26 | l3_extension.L3AgentExtension): 27 | 28 | def initialize(self, connection, driver_type): 29 | """Initialize L3 logging agent extension""" 30 | 31 | fw_log_cls = self._load_driver_cls( 32 | log_ext.LOGGING_DRIVERS_NAMESPACE, FIREWALL_LOG_DRIVER_NAME) 33 | self.log_driver = fw_log_cls(self.agent_api) 34 | self.resource_rpc = agent_rpc.LoggingApiStub() 35 | self._register_rpc_consumers() 36 | self.log_driver.initialize(self.resource_rpc) 37 | 38 | def update_network(self, context, data): 39 | # TODO(zhouhenglc) remove at base.L3LoggingExtensionBase support 40 | # update_network 41 | pass 42 | -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/logapi/common/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/common/fwg_callback.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.objects import ports as port_objects 17 | from neutron.services.logapi.drivers import manager 18 | from neutron_lib.callbacks import events 19 | from neutron_lib import constants as nl_const 20 | from neutron_lib.services.logapi import constants as log_const 21 | 22 | from neutron_fwaas.services.logapi.common import log_db_api 23 | 24 | 25 | class FirewallGroupCallBack(manager.ResourceCallBackBase): 26 | 27 | def handle_event(self, resource, event, trigger, **kwargs): 28 | payload = kwargs.get('payload') 29 | context = payload.context 30 | ports_delta = [] 31 | if event == events.AFTER_CREATE: 32 | # Update log when a new firewall group is created with ports 33 | ports_delta = payload.latest_state['ports'] 34 | 35 | elif event == events.AFTER_UPDATE: 36 | old_ports = payload.states[0]['ports'] 37 | new_ports = payload.states[1]['ports'] 38 | 39 | # Check whether port is updated from firewall group or not 40 | ports_delta = \ 41 | set(new_ports).symmetric_difference(set(old_ports)) 42 | 43 | if self.need_to_notify(context, ports_delta): 44 | self.trigger_logging(context, payload.resource_id, ports_delta) 45 | 46 | def trigger_logging(self, context, fwg_id, ports_delta): 47 | log_resources = log_db_api.get_logs_for_fwg( 48 | context, fwg_id, ports_delta) 49 | if log_resources: 50 | self.resource_push_api( 51 | log_const.RESOURCE_UPDATE, context, log_resources) 52 | 53 | def need_to_notify(self, context, ports): 54 | notify = False 55 | for port_id in ports: 56 | port = port_objects.Port.get_object(context, id=port_id) 57 | device_owner = port.get('device_owner', '') 58 | if device_owner in nl_const.ROUTER_INTERFACE_OWNERS: 59 | notify = True 60 | break 61 | return notify 62 | -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/common/port_callback.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.services.logapi.drivers import manager 17 | from neutron_lib.callbacks import events 18 | from neutron_lib import constants as nl_const 19 | from neutron_lib.services.logapi import constants as log_const 20 | 21 | from neutron_fwaas.services.logapi.common import log_db_api 22 | 23 | 24 | class NeutronPortCallBack(manager.ResourceCallBackBase): 25 | 26 | def handle_event(self, resource, event, trigger, payload): 27 | if event == events.AFTER_UPDATE: 28 | context = payload.context 29 | original_port = payload.states[0] 30 | port = payload.states[1] 31 | 32 | if port['device_owner'] in nl_const.ROUTER_INTERFACE_OWNERS: 33 | if original_port['status'] != port['status']: 34 | self.trigger_logging(context, port) 35 | 36 | def trigger_logging(self, context, port): 37 | log_resources = log_db_api.get_logs_for_port(context, port['id']) 38 | if log_resources: 39 | self.resource_push_api( 40 | log_const.RESOURCE_UPDATE, context, log_resources) 41 | -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | 17 | # Firewall group logging resource type 18 | FIREWALL_GROUP = 'firewall_group' 19 | 20 | # Target logging resource type 21 | TARGET_RESOURCE = 'port which is associated with the firewall group' 22 | -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron._i18n import _ 17 | from neutron_lib import exceptions as n_exc 18 | 19 | # TODO(annp or longkb): move to neutron-lib 20 | 21 | 22 | class FWGIsNotReadyForLogging(n_exc.InvalidInput): 23 | message = _("Firewall group %(fwg_id)s is not ready for logging " 24 | "because of %(fwg_status)s status.") 25 | 26 | 27 | class TargetResourceNotAssociated(n_exc.InvalidInput): 28 | message = _("Target resource %(target_id)s is not associated with " 29 | "any firewall group.") 30 | 31 | 32 | class PortIsNotReadyForLogging(n_exc.InvalidInput): 33 | message = _("Target resource %(target_id)s is not ready for logging " 34 | "because of %(port_status)s status.") 35 | -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/rpc/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/services/logapi/rpc/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/services/logapi/rpc/log_server.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron_fwaas.services.logapi.common import log_db_api 17 | 18 | 19 | # Use this when register log driver with 20 | # "register_rpc_methods" function 21 | def get_fwg_log_info_for_port(context, port_id): 22 | return log_db_api.get_fwg_log_info_for_port(context, port_id) 23 | 24 | 25 | # Use this when register log driver with 26 | # "register_rpc_methods" function 27 | def get_fwg_log_info_for_log_resources(context, log_resources): 28 | return log_db_api.get_fwg_log_info_for_log_resources( 29 | context, 30 | log_resources) 31 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/base.py: -------------------------------------------------------------------------------- 1 | # Copyright 2014 OpenStack Foundation. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | # 16 | 17 | from neutron.tests import base as n_base 18 | 19 | 20 | class BaseTestCase(n_base.BaseTestCase): 21 | pass 22 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/README: -------------------------------------------------------------------------------- 1 | The files in this directory are intended for use by the 2 | Neutron infra jobs that run the various functional test 3 | suites in the gate. 4 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/filters.template: -------------------------------------------------------------------------------- 1 | # neutron-rootwrap command filters to support functional testing. It 2 | # is NOT intended to be used outside of a test environment. 3 | # 4 | # This file should be owned by (and only-writeable by) the root user 5 | 6 | [Filters] 7 | # '$BASE_PATH' is intended to be replaced with the expected tox path 8 | # (e.g. /opt/stack/new/neutron/.tox/dsvm-functional) by the neutron 9 | # functional jenkins job. This ensures that tests can kill the 10 | # processes that they launch with their containing tox environment's 11 | # python. 12 | kill_tox_python: KillFilter, root, $BASE_PATH/bin/python, -9 13 | 14 | # enable ping from namespace 15 | ping_filter: CommandFilter, ping, root 16 | 17 | # enable curl from namespace 18 | curl_filter: CommandFilter, curl, root 19 | tee_filter: CommandFilter, tee, root 20 | tee_kill: KillFilter, root, tee, -9 21 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/functional-testing.filters: -------------------------------------------------------------------------------- 1 | # neutron-rootwrap command filters to support functional testing. It 2 | # is NOT intended to be used outside of a test environment. 3 | # 4 | # This file should be owned by (and only-writeable by) the root user 5 | 6 | [Filters] 7 | # enable ping from namespace 8 | ping_filter: CommandFilter, ping, root 9 | ping6_filter: CommandFilter, ping6, root 10 | ping_kill: KillFilter, root, ping, -2 11 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/gate_hook.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -ex 4 | 5 | VENV=${1:-"dsvm-functional"} 6 | 7 | GATE_DEST=$BASE/new 8 | FWAAS_PATH=$GATE_DEST/neutron-fwaas 9 | DEVSTACK_PATH=$GATE_DEST/devstack 10 | 11 | 12 | case $VENV in 13 | "dsvm-functional"|"dsvm-fullstack") 14 | # The following need to be set before sourcing 15 | # configure_for_fwaas_func_testing. 16 | GATE_STACK_USER=stack 17 | PROJECT_NAME=neutron-fwaas 18 | IS_GATE=True 19 | 20 | source $FWAAS_PATH/tools/configure_for_fwaas_func_testing.sh 21 | 22 | configure_host_for_func_testing 23 | if is_ubuntu || is_suse; then 24 | install_package libnetfilter-log1 25 | elif is_fedora; then 26 | install_package libnetfilter-log 27 | fi 28 | ;; 29 | esac 30 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/gate_hook_tempest.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -ex 4 | 5 | FWAAS_VERSION=$1 6 | 7 | GATE_DEST=$BASE/new 8 | GATE_HOOKS=$GATE_DEST/neutron-fwaas/neutron_fwaas/tests/contrib/hooks 9 | DEVSTACK_PATH=$GATE_DEST/devstack 10 | LOCAL_CONF=$DEVSTACK_PATH/late-local.conf 11 | DSCONF=/tmp/devstack-tools/bin/dsconf 12 | 13 | # Install devstack-tools used to produce local.conf; we can't rely on 14 | # test-requirements.txt because the gate hook is triggered before neutron-fwaas 15 | # is installed 16 | sudo -H pip install virtualenv 17 | virtualenv /tmp/devstack-tools 18 | /tmp/devstack-tools/bin/pip install -U devstack-tools==0.4.0 19 | 20 | # Inject config from hook into localrc 21 | function load_rc_hook { 22 | local hook="$1" 23 | local tmpfile 24 | local config 25 | tmpfile=$(tempfile) 26 | config=$(cat $GATE_HOOKS/$hook) 27 | echo "[[local|localrc]]" > $tmpfile 28 | $DSCONF setlc_raw $tmpfile "$config" 29 | $DSCONF merge_lc $LOCAL_CONF $tmpfile 30 | rm -f $tmpfile 31 | } 32 | 33 | LOCAL_CONF=$DEVSTACK_PATH/local.conf 34 | load_rc_hook api_extensions-base 35 | load_rc_hook api_extensions-${FWAAS_VERSION} 36 | 37 | export DEVSTACK_LOCALCONF=$(cat $LOCAL_CONF) 38 | $BASE/new/devstack-gate/devstack-vm-gate.sh 39 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/hooks/api_extensions-base: -------------------------------------------------------------------------------- 1 | NETWORK_API_EXTENSIONS=agent,binding,dhcp_agent_scheduler,external-net,ext-gw-mode,extra_dhcp_opts,quotas,router,security-group,subnet_allocation,network-ip-availability,auto-allocated-topology,timestamp_core,tag,service-type,rbac-policies,standard-attr-description,pagination,sorting,project-id 2 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/hooks/api_extensions-legacy: -------------------------------------------------------------------------------- 1 | NETWORK_API_EXTENSIONS+=,fwaas,fwaasrouterinsertion 2 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/hooks/api_extensions-v1: -------------------------------------------------------------------------------- 1 | NETWORK_API_EXTENSIONS+=,fwaas,fwaasrouterinsertion 2 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/hooks/api_extensions-v2: -------------------------------------------------------------------------------- 1 | NETWORK_API_EXTENSIONS+=,fwaas_v2 2 | NETWORK_API_EXTENSIONS+=,standard-attr-fwaas-v2 3 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/hooks/iptables_verify: -------------------------------------------------------------------------------- 1 | [[post-config|/etc/neutron/neutron.conf]] 2 | 3 | [AGENT] 4 | debug_iptables_rules=True 5 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/contrib/post_test_hook.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -xe 4 | 5 | FWAAS_DIR="$BASE/new/neutron-fwaas" 6 | NEUTRON_DIR="$BASE/new/neutron" 7 | TEMPEST_DIR="$BASE/new/tempest" 8 | SCRIPTS_DIR="/usr/os-testr-env/bin" 9 | 10 | venv=${1:-"dsvm-functional"} 11 | 12 | function generate_testr_results { 13 | # Give job user rights to access tox logs 14 | sudo -H -u $owner chmod o+rw . 15 | sudo -H -u $owner chmod o+rw -R .stestr 16 | if [ -f ".stestr/0" ] ; then 17 | .tox/$venv/bin/subunit-1to2 < .stestr/0 > ./stestr.subunit 18 | $SCRIPTS_DIR/subunit2html ./stestr.subunit testr_results.html 19 | gzip -9 ./stestr.subunit 20 | gzip -9 ./testr_results.html 21 | sudo mv ./*.gz /opt/stack/logs/ 22 | fi 23 | } 24 | 25 | function dsvm_functional_prep_func { 26 | : 27 | } 28 | 29 | if [[ "$venv" == dsvm-functional* ]] 30 | then 31 | owner=stack 32 | sudo_env= 33 | # Set owner permissions according to job's requirements. 34 | cd $FWAAS_DIR 35 | sudo chown -R $owner:stack $FWAAS_DIR 36 | sudo chown -R $owner:stack $NEUTRON_DIR 37 | # Prep the environment according to job's requirements. 38 | $prep_func 39 | 40 | # Run tests 41 | echo "Running neutron-fwaas $venv test suite" 42 | set +e 43 | sudo -H -u $owner $sudo_env tox -e $venv 44 | testr_exit_code=$? 45 | set -e 46 | 47 | # Collect and parse results 48 | generate_testr_results 49 | exit $testr_exit_code 50 | fi 51 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/fullstack/README: -------------------------------------------------------------------------------- 1 | Please see neutron/TESTING.rst for more information about what Fullstack tests are. 2 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/fullstack/__init__.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 2 | # not use this file except in compliance with the License. You may obtain 3 | # a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 | # License for the specific language governing permissions and limitations 11 | # under the License. 12 | 13 | from neutron.common import eventlet_utils 14 | 15 | 16 | eventlet_utils.monkey_patch() 17 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/fullstack/base.py: -------------------------------------------------------------------------------- 1 | # Copyright 2015 Red Hat, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import os 16 | 17 | from neutron_lib.tests import tools 18 | from oslo_config import cfg 19 | 20 | from neutron.tests import base as tests_base 21 | from neutron.tests.fullstack.resources import client as client_resource 22 | from neutron.tests.unit import testlib_api 23 | 24 | 25 | # This is the directory from which infra fetches log files for fullstack tests 26 | DEFAULT_LOG_DIR = os.path.join('/opt/stack/logs/neutron-fwaas/', 27 | 'dsvm-fullstack-logs') 28 | 29 | 30 | class BaseFullStackTestCase(testlib_api.MySQLTestCaseMixin, 31 | testlib_api.SqlTestCase): 32 | """Base test class for full-stack tests.""" 33 | 34 | BUILD_WITH_MIGRATIONS = True 35 | 36 | def setUp(self, environment): 37 | super().setUp() 38 | 39 | tests_base.setup_test_logging( 40 | cfg.CONF, DEFAULT_LOG_DIR, '%s.txt' % self.get_name()) 41 | 42 | # NOTE(zzzeek): the opportunistic DB fixtures have built for 43 | # us a per-test (or per-process) database. Set the URL of this 44 | # database in CONF as the full stack tests need to actually run a 45 | # neutron server against this database. 46 | _orig_db_url = cfg.CONF.database.connection 47 | cfg.CONF.set_override( 48 | 'connection', 49 | self.engine.url.render_as_string(hide_password=False), 50 | group='database') 51 | self.addCleanup( 52 | cfg.CONF.set_override, 53 | "connection", _orig_db_url, group="database" 54 | ) 55 | 56 | # NOTE(ihrachys): seed should be reset before environment fixture below 57 | # since the latter starts services that may rely on generated port 58 | # numbers 59 | tools.reset_random_seed() 60 | self.environment = environment 61 | self.environment.test_name = self.get_name() 62 | self.useFixture(self.environment) 63 | self.client = self.environment.neutron_server.client 64 | self.safe_client = self.useFixture( 65 | client_resource.ClientFixture(self.client)) 66 | 67 | def get_name(self): 68 | class_name, test_name = self.id().split(".")[-2:] 69 | return "{}.{}".format(class_name, test_name) 70 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/fullstack/resources/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/fullstack/resources/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/db/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/db/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/privileged/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/privileged/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/privileged/test_dummy.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Thales Services SAS 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.tests.functional import base 17 | 18 | from neutron_fwaas.privileged.tests.functional import dummy 19 | 20 | 21 | class DummyTest(base.BaseSudoTestCase): 22 | 23 | def test_dummy(self): 24 | dummy.dummy() 25 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/privileged/test_utils.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Thales Services SAS 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.agent.linux import ip_lib 17 | from neutron.common import utils as neutron_utils 18 | from neutron.tests.common import net_helpers 19 | from neutron.tests.functional import base 20 | 21 | from neutron_fwaas.privileged.tests.functional import utils 22 | 23 | 24 | class InNamespaceTest(base.BaseSudoTestCase): 25 | 26 | def setUp(self): 27 | super().setUp() 28 | self.namespace = self.useFixture(net_helpers.NamespaceFixture()).name 29 | 30 | ip = ip_lib.IPWrapper() 31 | root_dev_name = neutron_utils.get_rand_device_name() 32 | netns_dev_name = neutron_utils.get_rand_device_name() 33 | self.root_dev, self.netns_dev = ip.add_veth( 34 | root_dev_name, netns_dev_name, namespace2=self.namespace) 35 | self.addCleanup(self.root_dev.link.delete) 36 | 37 | def test_in_namespace(self): 38 | before, observed, after = utils.get_in_namespace_interfaces( 39 | self.namespace) 40 | expected = ['lo', self.netns_dev.name] 41 | self.assertItemsEqual(expected, observed) 42 | # Other tests can create/delete devices, so we just checks 43 | # self.root_dev_name is included in the root namespace result. 44 | self.assertIn(self.root_dev.name, before) 45 | self.assertIn(self.root_dev.name, after) 46 | 47 | def test_in_no_namespace(self): 48 | before, observed, after = utils.get_in_namespace_interfaces(None) 49 | # Other tests can create/delete devices, so we just checks 50 | # self.root_dev_name is included in the root namespace result. 51 | self.assertIn(self.root_dev.name, observed) 52 | self.assertIn(self.root_dev.name, before) 53 | self.assertIn(self.root_dev.name, after) 54 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/services/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/services/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/services/logapi/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/services/logapi/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/services/logapi/agents/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/services/logapi/agents/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/services/logapi/agents/drivers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/services/logapi/agents/drivers/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/functional/services/logapi/agents/drivers/iptables/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/functional/services/logapi/agents/drivers/iptables/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/cmd/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/cmd/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/cmd/upgrade_checks/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/cmd/upgrade_checks/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/cmd/upgrade_checks/test_checks.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Red Hat Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | from unittest import mock 16 | 17 | from oslo_config import cfg 18 | from oslo_upgradecheck.upgradecheck import Code 19 | 20 | from neutron_fwaas.cmd.upgrade_checks import checks 21 | from neutron_fwaas.tests import base 22 | 23 | 24 | class TestChecks(base.BaseTestCase): 25 | 26 | def setUp(self): 27 | super().setUp() 28 | self.checks = checks.Checks() 29 | 30 | def test_get_checks_list(self): 31 | self.assertIsInstance(self.checks.get_checks(), list) 32 | 33 | def test_fwaas_v1_check_sucess(self): 34 | cfg.CONF.set_override('service_plugins', ['l3', 'qos']) 35 | check_result = checks.Checks.fwaas_v1_check(mock.Mock()) 36 | self.assertEqual(Code.SUCCESS, check_result.code) 37 | 38 | def test_fwaas_v1_check_warning(self): 39 | plugins_to_check = [ 40 | ['l3', 'firewall', 'qos'], 41 | ['l3', 42 | 'neutron_fwaas.services.firewall.fwaas_plugin:FirewallPlugin', 43 | 'qos']] 44 | for plugins in plugins_to_check: 45 | cfg.CONF.set_override('service_plugins', plugins) 46 | check_result = checks.Checks.fwaas_v1_check(mock.Mock()) 47 | self.assertEqual(Code.FAILURE, check_result.code) 48 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/db/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/db/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/db/firewall/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/db/firewall/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/db/firewall/v2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/db/firewall/v2/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/policies/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/policies/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/privileged/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/privileged/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/privileged/netfilter_log/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/privileged/netfilter_log/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/privileged/test_utils.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017 Thales Services SAS 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from unittest import mock 17 | 18 | import testtools 19 | 20 | from neutron_fwaas.privileged import utils 21 | from neutron_fwaas.tests import base 22 | 23 | 24 | class InNamespaceTest(base.BaseTestCase): 25 | ORG_NETNS_FD = 124 26 | NEW_NETNS_FD = 421 27 | NEW_NETNS = 'newns' 28 | 29 | def setUp(self): 30 | super().setUp() 31 | 32 | # NOTE(cby): we should unmock os.open/close as early as possible 33 | # because there are used in cleanups 34 | open_patch = mock.patch('os.open', return_value=self.ORG_NETNS_FD) 35 | self.open_mock = open_patch.start() 36 | self.addCleanup(open_patch.stop) 37 | 38 | close_patch = mock.patch('os.close') 39 | self.close_mock = close_patch.start() 40 | self.addCleanup(close_patch.stop) 41 | 42 | self.setns_mock = mock.patch( 43 | 'pyroute2.netns.setns').start() 44 | 45 | def test_in_namespace(self): 46 | with utils.in_namespace(self.NEW_NETNS): 47 | self.setns_mock.assert_called_once_with(self.NEW_NETNS) 48 | 49 | setns_calls = [mock.call(self.NEW_NETNS), mock.call(self.ORG_NETNS_FD)] 50 | self.setns_mock.assert_has_calls(setns_calls) 51 | 52 | def test_in_no_namespace(self): 53 | for namespace in ('', None): 54 | with utils.in_namespace(namespace): 55 | pass 56 | self.setns_mock.assert_not_called() 57 | self.close_mock.assert_not_called() 58 | 59 | def test_in_namespace_failed(self): 60 | with testtools.ExpectedException(ValueError): 61 | with utils.in_namespace(self.NEW_NETNS): 62 | self.setns_mock.assert_called_once_with(self.NEW_NETNS) 63 | raise ValueError 64 | 65 | setns_calls = [mock.call(self.NEW_NETNS), mock.call(self.ORG_NETNS_FD)] 66 | self.setns_mock.assert_has_calls(setns_calls) 67 | 68 | def test_in_namespace_enter_failed(self): 69 | self.setns_mock.side_effect = ValueError 70 | with testtools.ExpectedException(ValueError): 71 | with utils.in_namespace(self.NEW_NETNS): 72 | self.fail('It should fail before we reach this code') 73 | 74 | self.setns_mock.assert_called_once_with(self.NEW_NETNS) 75 | 76 | def test_in_namespace_exit_failed(self): 77 | self.setns_mock.side_effect = [self.NEW_NETNS_FD, ValueError] 78 | with testtools.ExpectedException(utils.BackInNamespaceExit): 79 | with utils.in_namespace(self.NEW_NETNS): 80 | pass 81 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/noop/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/noop/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/noop/test_noop_driver.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Mirantis Inc. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from unittest import mock 17 | 18 | from neutron import manager 19 | from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\ 20 | noop import noop_driver 21 | from neutron_fwaas.tests import base 22 | 23 | 24 | class TestNoopDriver(base.BaseTestCase): 25 | def setUp(self): 26 | super().setUp() 27 | mock_br = mock.Mock() 28 | self.firewall = noop_driver.NoopFirewallL2Driver(mock_br) 29 | 30 | def test_basic_methods(self): 31 | # just make sure it doesn't crash 32 | fwg_mock = mock.Mock() 33 | self.firewall.create_firewall_group(ports=[], firewall_group=fwg_mock) 34 | self.firewall.update_firewall_group(ports=[], firewall_group=fwg_mock) 35 | self.firewall.delete_firewall_group(ports=[], firewall_group=fwg_mock) 36 | self.firewall.filter_defer_apply_on() 37 | self.firewall.filter_defer_apply_off() 38 | self.firewall.defer_apply() 39 | self.firewall.ports 40 | 41 | def test_load_firewall_class(self): 42 | res = manager.NeutronManager.load_class_for_provider( 43 | 'neutron.agent.l2.firewall_drivers', 'noop') 44 | self.assertEqual(res, noop_driver.NoopFirewallL2Driver) 45 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/l2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/l2/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/l3reference/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/l3reference/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/test_firewall_agent_api.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2013 OpenStack Foundation 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from unittest import mock 17 | 18 | from neutron_fwaas.services.firewall.service_drivers.agents.drivers \ 19 | import fwaas_base 20 | from neutron_fwaas.services.firewall.service_drivers.agents.drivers \ 21 | import fwaas_base_v2 22 | from neutron_fwaas.services.firewall.service_drivers.agents \ 23 | import firewall_agent_api as api 24 | from neutron_fwaas.tests import base 25 | 26 | 27 | class NoopFwaasDriver(fwaas_base.FwaasDriverBase): 28 | """Noop Fwaas Driver. 29 | 30 | v1 firewall driver which does nothing. 31 | This driver is for disabling Fwaas functionality. 32 | """ 33 | 34 | def create_firewall_group(self, agent_mode, apply_list, firewall): 35 | pass 36 | 37 | def delete_firewall_group(self, agent_mode, apply_list, firewall): 38 | pass 39 | 40 | def update_firewall_group(self, agent_mode, apply_list, firewall): 41 | pass 42 | 43 | def apply_default_policy(self, agent_mode, apply_list, firewall): 44 | pass 45 | 46 | 47 | class NoopFwaasDriverV2(fwaas_base_v2.FwaasDriverBase): 48 | """Noop Fwaas Driver. 49 | 50 | v2 firewall driver which does nothing. 51 | This driver is for disabling Fwaas functionality. 52 | """ 53 | 54 | def create_firewall_group(self, agent_mode, apply_list, firewall): 55 | pass 56 | 57 | def delete_firewall_group(self, agent_mode, apply_list, firewall): 58 | pass 59 | 60 | def update_firewall_group(self, agent_mode, apply_list, firewall): 61 | pass 62 | 63 | def apply_default_policy(self, agent_mode, apply_list, firewall): 64 | pass 65 | 66 | 67 | class TestFWaaSAgentApi(base.BaseTestCase): 68 | def setUp(self): 69 | super().setUp() 70 | 71 | self.api = api.FWaaSPluginApiMixin( 72 | 'topic', 73 | 'host') 74 | 75 | def test_init(self): 76 | self.assertEqual('host', self.api.host) 77 | 78 | def _test_firewall_method(self, method_name, **kwargs): 79 | with mock.patch.object(self.api.client, 'call') as rpc_mock, \ 80 | mock.patch.object(self.api.client, 'prepare') as prepare_mock: 81 | 82 | prepare_mock.return_value = self.api.client 83 | getattr(self.api, method_name)(mock.sentinel.context, 'test', 84 | **kwargs) 85 | 86 | prepare_args = {} 87 | prepare_mock.assert_called_once_with(**prepare_args) 88 | 89 | rpc_mock.assert_called_once_with(mock.sentinel.context, method_name, 90 | firewall_id='test', host='host', 91 | **kwargs) 92 | 93 | def test_set_firewall_status(self): 94 | self._test_firewall_method('set_firewall_status', status='fake_status') 95 | 96 | def test_firewall_deleted(self): 97 | self._test_firewall_method('firewall_deleted') 98 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/test_firewall_service.py: -------------------------------------------------------------------------------- 1 | # Copyright 2014 OpenStack Foundation. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.tests import base 17 | from oslo_config import cfg 18 | 19 | from neutron_fwaas.services.firewall.service_drivers.agents import\ 20 | firewall_service 21 | 22 | FWAAS_NOP_DEVICE = ('neutron_fwaas.tests.unit.services.firewall.' 23 | 'service_drivers.agents.test_firewall_agent_api.' 24 | 'NoopFwaasDriver') 25 | 26 | 27 | class TestFirewallDeviceDriverLoading(base.BaseTestCase): 28 | 29 | def setUp(self): 30 | super().setUp() 31 | self.service = firewall_service.FirewallService() 32 | 33 | def test_loading_firewall_device_driver(self): 34 | """Get the sole device driver for FWaaS.""" 35 | cfg.CONF.set_override('driver', 36 | FWAAS_NOP_DEVICE, 37 | 'fwaas') 38 | driver = self.service.load_device_drivers() 39 | self.assertIsNotNone(driver) 40 | self.assertIn(driver.__class__.__name__, FWAAS_NOP_DEVICE) 41 | 42 | def test_fail_no_such_firewall_device_driver(self): 43 | """Failure test of import error for FWaaS device driver.""" 44 | cfg.CONF.set_override('driver', 45 | 'no.such.class', 46 | 'fwaas') 47 | self.assertRaises(ImportError, 48 | self.service.load_device_drivers) 49 | 50 | def test_fail_firewall_no_device_driver_specified(self): 51 | """Failure test when no FWaaS device driver is specified. 52 | 53 | This is a configuration error, as the user must specify a device 54 | driver, when enabling the firewall service (and there is no default 55 | configuration set. We'll simulate that by using an empty string. 56 | """ 57 | cfg.CONF.set_override('driver', 58 | '', 59 | 'fwaas') 60 | self.assertRaises(ValueError, 61 | self.service.load_device_drivers) 62 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/firewall/service_drivers/ovn/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/firewall/service_drivers/ovn/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/logapi/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/agents/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/logapi/agents/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/agents/drivers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/logapi/agents/drivers/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/agents/drivers/iptables/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/logapi/agents/drivers/iptables/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/agents/drivers/iptables/test_driver.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from neutron.services.logapi.drivers import base as log_base_driver 17 | from neutron_fwaas.tests import base 18 | 19 | SUPPORTED_LOGGING_TYPES = ['firewall_group'] 20 | 21 | 22 | class FakeDriver(log_base_driver.DriverBase): 23 | 24 | @staticmethod 25 | def create(): 26 | return FakeDriver( 27 | name='fake_driver', 28 | vif_types=[], 29 | vnic_types=[], 30 | supported_logging_types=SUPPORTED_LOGGING_TYPES, 31 | requires_rpc=True 32 | ) 33 | 34 | 35 | class TestDriverBase(base.BaseTestCase): 36 | 37 | def setUp(self): 38 | super().setUp() 39 | self.driver = FakeDriver.create() 40 | 41 | def test_is_vif_type_compatible(self): 42 | self.assertFalse( 43 | self.driver.is_vif_type_compatible([])) 44 | 45 | def test_is_vnic_compatible(self): 46 | self.assertFalse( 47 | self.driver.is_vnic_compatible([])) 48 | 49 | def test_is_logging_type_supported(self): 50 | self.assertTrue( 51 | self.driver.is_logging_type_supported('firewall_group')) 52 | self.assertFalse( 53 | self.driver.is_logging_type_supported('security_group')) 54 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/agents/l3/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/logapi/agents/l3/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/agents/l3/test_fwg_log.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited. 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from unittest import mock 17 | 18 | from neutron.api.rpc.callbacks.consumer import registry 19 | from neutron.api.rpc.callbacks import resources 20 | from neutron.api.rpc.handlers import resources_rpc 21 | from neutron.tests.unit.services.logapi.agent.l3 import test_base as base 22 | from neutron_lib import constants as lib_const 23 | 24 | from neutron_fwaas.services.logapi.agents.l3 import fwg_log 25 | 26 | 27 | class FWaaSL3LoggingExtensionInitializeTestCase(base.L3LoggingExtBaseTestCase): 28 | 29 | def setUp(self): 30 | super().setUp() 31 | self.fw_l3_log_ext = fwg_log.FWaaSL3LoggingExtension() 32 | self.fw_l3_log_ext.consume_api(self.agent_api) 33 | 34 | @mock.patch.object(registry, 'register') 35 | @mock.patch.object(resources_rpc, 'ResourcesPushRpcCallback') 36 | def test_initialize_subscribed_to_rpc(self, rpc_mock, subscribe_mock): 37 | call_to_patch = 'neutron_lib.rpc.Connection' 38 | with mock.patch(call_to_patch, 39 | return_value=self.connection) as create_connection: 40 | self.fw_l3_log_ext.initialize( 41 | self.connection, lib_const.L3_AGENT_MODE) 42 | create_connection.assert_has_calls([mock.call()]) 43 | self.connection.create_consumer.assert_has_calls( 44 | [mock.call( 45 | resources_rpc.resource_type_versioned_topic( 46 | resources.LOGGING_RESOURCE), 47 | [rpc_mock()], 48 | fanout=True)] 49 | ) 50 | subscribe_mock.assert_called_with( 51 | mock.ANY, resources.LOGGING_RESOURCE) 52 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/base.py: -------------------------------------------------------------------------------- 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 2 | # not use this file except in compliance with the License. You may obtain 3 | # a copy of the License at 4 | # 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 10 | # License for the specific language governing permissions and limitations 11 | # under the License. 12 | 13 | from unittest import mock 14 | 15 | from neutron.api.rpc.callbacks.consumer import registry as cons_registry 16 | from neutron.api.rpc.callbacks.producer import registry as prod_registry 17 | from neutron.api.rpc.callbacks import resource_manager 18 | from neutron.tests.unit import testlib_api 19 | 20 | 21 | class BaseLogTestCase(testlib_api.SqlTestCase): 22 | def setUp(self): 23 | super().setUp() 24 | 25 | with mock.patch.object( 26 | resource_manager.ResourceCallbacksManager, '_singleton', 27 | new_callable=mock.PropertyMock(return_value=False)): 28 | 29 | self.cons_mgr = resource_manager.ConsumerResourceCallbacksManager() 30 | self.prod_mgr = resource_manager.ProducerResourceCallbacksManager() 31 | for mgr in (self.cons_mgr, self.prod_mgr): 32 | mgr.clear() 33 | 34 | mock.patch.object( 35 | cons_registry, '_get_manager', return_value=self.cons_mgr).start() 36 | 37 | mock.patch.object( 38 | prod_registry, '_get_manager', return_value=self.prod_mgr).start() 39 | -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/logapi/common/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/rpc/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/neutron_fwaas/tests/unit/services/logapi/rpc/__init__.py -------------------------------------------------------------------------------- /neutron_fwaas/tests/unit/services/logapi/rpc/test_log_server.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Fujitsu Limited 2 | # All Rights Reserved. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 5 | # not use this file except in compliance with the License. You may obtain 6 | # a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 | # License for the specific language governing permissions and limitations 14 | # under the License. 15 | 16 | from unittest import mock 17 | 18 | from neutron.services.logapi.rpc import server as server_rpc 19 | from neutron.tests import base 20 | 21 | from neutron_fwaas.services.logapi.rpc import log_server as fw_server_rpc 22 | 23 | 24 | class FWGLoggingApiSkeletonTestCase(base.BaseTestCase): 25 | @mock.patch("neutron_fwaas.services.logapi.common.log_db_api." 26 | "get_fwg_log_info_for_port") 27 | def test_get_fwg_log_info_for_port(self, mock_callback): 28 | with mock.patch.object( 29 | server_rpc, 30 | 'get_rpc_method', 31 | return_value=fw_server_rpc.get_fwg_log_info_for_port 32 | ): 33 | test_obj = server_rpc.LoggingApiSkeleton() 34 | m_context = mock.Mock() 35 | port_id = '123' 36 | test_obj.get_sg_log_info_for_port(m_context, 37 | resource_type='firewall_v2', 38 | port_id=port_id) 39 | mock_callback.assert_called_with(m_context, port_id) 40 | 41 | @mock.patch("neutron_fwaas.services.logapi.common.log_db_api." 42 | "get_fwg_log_info_for_log_resources") 43 | def test_get_fwg_log_info_for_log_resources(self, mock_callback): 44 | with mock.patch.object( 45 | server_rpc, 46 | 'get_rpc_method', 47 | return_value=fw_server_rpc.get_fwg_log_info_for_log_resources 48 | ): 49 | test_obj = server_rpc.LoggingApiSkeleton() 50 | m_context = mock.Mock() 51 | log_resources = [mock.Mock()] 52 | test_obj.get_sg_log_info_for_log_resources( 53 | m_context, 54 | resource_type='firewall_v2', 55 | log_resources=log_resources) 56 | mock_callback.assert_called_with(m_context, log_resources) 57 | -------------------------------------------------------------------------------- /neutron_fwaas/version.py: -------------------------------------------------------------------------------- 1 | # Copyright 2011 OpenStack Foundation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may 4 | # not use this file except in compliance with the License. You may obtain 5 | # a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | import pbr.version 16 | 17 | version_info = pbr.version.VersionInfo('neutron-fwaas') 18 | -------------------------------------------------------------------------------- /playbooks/configure_functional_job.yaml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | roles: 3 | - setup_logdir 4 | - configure_functional_tests 5 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["pbr>=5.7.0", "setuptools>=64.0.0", "wheel"] 3 | build-backend = "pbr.build" 4 | 5 | -------------------------------------------------------------------------------- /releasenotes/notes/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/releasenotes/notes/.placeholder -------------------------------------------------------------------------------- /releasenotes/notes/add-missing-pk-firewall_group_associations_v2-3fddb21b3a19b598.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | A change has been made in the database structures to add missing 5 | primary key for the table 'firewall_group_associations_v2'. This 6 | would have the benefit effect to fix an issue with Percona when 7 | running in ENFORCING mode. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/adding-new-tables-for-future-consumption-ffd537c1f82e2e01.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Adding new tables for future consumption. 4 | features: 5 | - | 6 | New tables ``ACCEPTED_EGRESS_TRAFFIC_TABLE=91`` 7 | and ``ACCEPTED_INGRESS_TRAFFIC_TABLE=92`` & ``DROPPED_TRAFFIC_TABLE=93`` 8 | are added to OVS based FWaaS L2 driver for future comsumption like logging 9 | service. 10 | fixes: 11 | - | 12 | The limitation related to logging for security group in case of 13 | co-existence between SG and FWG is also fixed. -------------------------------------------------------------------------------- /releasenotes/notes/auto-association-default-firewall-group-7e9faf1afca1df85.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Associating default firewall group for new VM ports within a project 4 | automatically. 5 | features: 6 | - | 7 | The default firewall group won't be applied to all new VM ports as default. 8 | However, if option ``auto_associate_default_firewall_group`` is enabled in 9 | neutron_fwaas.conf like: 10 | 11 | [fwaas] 12 | auto_associate_default_firewall_group = True 13 | 14 | Then, the default firewall group will be applied to all new VM ports. 15 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1702242-c917c832ac2fa4e1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | [`bug 1702242 `__] 5 | Port range specification of a firewall rule now works expectedly 6 | with the reference L3 agent based implementation. 7 | Previously, when creating a firewall rule with port range like 8 | ``8778:9000``, the rule was not deleted correctly and only entries 9 | associated with the first port number were clean up. 10 | Note that this bug is only applied to the reference L3 agent 11 | based implementation. 12 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1746404-493a66faac333403.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Taking security for VM instance into consideration, we've removed an option 4 | to disable automatic association with default firewall group feature. 5 | Therefore, `auto_associate_default_firewall_group` has been removed. 6 | fixes: 7 | - | 8 | There is no validation to check if an updated port is for VM or not so far. 9 | After this fix, default firewall group association is called only for 10 | VM ports which are newly created. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/bug-1799358-360c6ab27a32e0ac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | There was no way to define default firewall group rules. 5 | Default firewall group rules can be now defined in neutron_fwaas.conf 6 | in section ``default_fwg_rules``. 7 | Default firewall group rules are same as hardcoded values before. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/cisco-fwaas-driver-move-8f46325d13c93543.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | The Cisco Firewall Driver is being moved from the 4 | FWaaS repo to the Cisco specific repo: 5 | https://github.com/openstack/networking-cisco 6 | upgrade: 7 | - The Cisco FWaaS driver will not be available from 8 | the neutron-fwaas repo in Newton. For the Cisco 9 | FWaaS driver, refer to the openstack/networking-cisco 10 | repo. 11 | 12 | -------------------------------------------------------------------------------- /releasenotes/notes/coexistence-between-sg-and-fwg-1f77a755539a9463.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Coexistence between security group and firewall group. 4 | features: 5 | - L2 firewall group driver based OVS can work in coexistence mode. 6 | That means, if a port is associated with both firewall group and 7 | security group, then a packet must be allowed by both features. 8 | other: 9 | - If a port is associated with both firewall group & security group and 10 | there is a security group logging, which is enabled to collect ``DROP`` 11 | events for this port, then most of invalid packets will be dropped at 12 | firewall group for performance reason except first dropped packet, which 13 | is allowed by firewall group but not accepted by security group. So not 14 | every dropped packet will be logged (like in case of security group 15 | works in standalone mode). 16 | 17 | -------------------------------------------------------------------------------- /releasenotes/notes/config-file-generation-265c5256668a26bf.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Generation of sample Neutron FWaaS configuration files. 4 | features: 5 | - Neutron FWaaS no longer includes static example configuration files. 6 | Instead, use tools/generate_config_file_samples.sh to generate them. 7 | The files are generated with a .sample extension. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/deprecate-neutron-fwaas-as-stadium-project-934d6acb3e824249.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Neutron-fwaas project is now deprecated in the Neutron stadium. 4 | deprecations: 5 | - | 6 | Due to lack of maintainers neutron-fwaas project is now deprecated in the 7 | Neutron stadium. There is no planned releases of this project in the 8 | ``Victoria`` cycle. 9 | In ``W`` cycle project will be moved out from the stadium to the unofficial 10 | OpenStack projects. 11 | If You want to step in and be maintainer of this project to keep it in the 12 | Neutron stadium, please contact the ``neutron team`` via 13 | openstack-discuss@lists.openstack.org or IRC channel #openstack-neutron 14 | @freenode. 15 | -------------------------------------------------------------------------------- /releasenotes/notes/drop-python-2-7-73d3113c69d724c1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | Python 2.7 support has been dropped. The minimum version of Python now 5 | supported by neutron-fwaas is Python 3.6. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/drop-python-3-6-and-3-7-b1cf8738aaab988f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | Python 3.6 & 3.7 support has been dropped. The minimum version of Python now 5 | supported is Python 3.8. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Enable quotas for FWaaS. 4 | features: 5 | - The FWaaS extension will register quotas. 6 | The default values for quota_firewall and 7 | quota_firewall_policy are set to 10. 8 | The default value for quota_firewall_rule 9 | is set to 100. 10 | Quotas can be adjusted in the conf files, including 11 | -1 values to allow unlimited. 12 | issues: 13 | - Tenants may receive a 409 Conflict error with a 14 | message body containing a quota exceeded message 15 | during resource creation if their quota is exceeded. 16 | other: 17 | - Operators that increase the default limit for quota_routers 18 | from 10 may want to bump FWaaS quotas as well, since with 19 | router insertion a tenant can potentially have a unique 20 | policy and firewall for each router. 21 | -------------------------------------------------------------------------------- /releasenotes/notes/fix-fwaas-log-duplication-85159dc33e43f095.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | The logging configuration for Neutron 5 | Firewall as a Service (FWaaS) has been 6 | enhanced to allow better control over 7 | log output destinations. Specifically, 8 | when a custom log file is specified using 9 | the network_log.local_output_log_base option, 10 | logs will no longer be duplicated in the 11 | default neutron-l3-agent.log file. 12 | -------------------------------------------------------------------------------- /releasenotes/notes/fwaas-config-9c780ccfb0e7887f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Neutron Firewall as a Service can be configured by the users 4 | with the newly introduced fwaas configuration file. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/fwaas-v2-logging-79cbaa43ff17f47f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Resource type **firewall group** has been supported for neutron packet 4 | logging framework. You can specify firewall group as ``--resource-type`` 5 | for logging API. 6 | features: 7 | - | 8 | Enable to collect network packet log for ACCEPT/DROP action from firewall 9 | groups. Currently, packet logging supports only L3(router) ports. 10 | issues: 11 | - | 12 | [`bug 1720727 `__] 13 | Currently, we cannot specify the following combination on CLI due to 14 | missing validation of --resource-type: 15 | 16 | - --resource-type firewall_group --resource 17 | - --resource-type firewall_group --resource --target 18 | 19 | Therefore, you can only run with following combinations: 20 | 21 | - --resource-type firewall_group --target 22 | - --resource-type firewall_group 23 | -------------------------------------------------------------------------------- /releasenotes/notes/fwaas_v2-374471c215af0ca0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | The FWaaS team is pleased to release FWaaS v2.0. This release of FWaaS 4 | supports either the original FWaaS v1 or the new FWaaS v2. 5 | features: 6 | - In FWaaS v2 firewall policies are applied to router ports, as opposed to 7 | applying to routers in FWaaS v1. 8 | - Earlier the FWaaS agent integrated with the L3 agent by having the L3 Agent 9 | class inherit from the FWaaS Agent class. This meant that other service 10 | agents could not also integrate with the L3 agent. Now, using the L3 agent 11 | extensions mechanism, FWaaS (v1 and v2) plugs in to the L3 agent. This 12 | means that it can interoperate peacefully with other L3 advanced services 13 | that also implement the L3 agent extension mechanism, all without any code 14 | changes to Neutron. 15 | upgrade: 16 | - There is not currently a defined upgrade path from FWaaS v1 to FWaaS v2. 17 | - FWaaS v1 can not be enabled at the same time as FWaaS v2; one or the other 18 | must be chosen. 19 | -------------------------------------------------------------------------------- /releasenotes/notes/mcafee-fwaas-driver-removal-8915271e5d4288cf.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | - The McAfee Firewall Driver is being removed from the FwaaS repo, 4 | due to lack of active maintainers. 5 | upgrade: 6 | - The McAfee Firewall Driver will not be available for use in the 7 | Newton release. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/ovs-firewall-driver-c347ea0a560b7e38.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | issues: 3 | - | 4 | Currently, the FWaaSv2 L2 driver can be configured as: 5 | 6 | ``firewall_driver = ovs`` 7 | 8 | And the Security Group driver is specified as: 9 | 10 | ``firewall_driver = openvswitch`` 11 | 12 | If both are configured, the packet will still only hit the FWaaS table in 13 | OVS and will not traverse the rules in the SG table. There are some fixes 14 | needed to support this model which are being tested and will be merged 15 | shortly. Currently there are no checks to allow only one of FWaaS L2 or SG 16 | to be configured. 17 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-v1-to-v2-migration-4c5b7f60c6843739.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The ``neutron-fwaas-migrate-v1-to-v2`` tool has been removed. The migration 5 | should be completed before Neutron FWaaS is upgraded. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/remove_fwaas_v1-15c6e19484f46d1b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | - FWaaS V1 is being removed from the neutron-fwaas repo. Because FWaaS V2 4 | has been available since the Newton release. 5 | upgrade: 6 | - The FWaaS V1 source code will not be available in neutron-fwaas repo from 7 | Stein. 8 | neutron-fwaas-migrate-v1-to-v2 can be used for migrating V1 object to V2 model. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/s-rbac-api-policies-added-4dc1db4ff91fbbed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Neutron-fwaas API policies now supports S-RBAC roles. 5 | deprecations: 6 | - | 7 | Old API policies are now deprecated and new policies, aligned with S-RBAC 8 | roles are used for the neutron-fwaas APIs by default now. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/support-l3-firewall-for-ovn-driver-3f5632ad13cf35fd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - L3 stateless firewall support for ML2/OVN driver is implemented. 4 | issues: 5 | - | 6 | If the user configures stateful security group rules for VMs ports and 7 | stateless L3 firewall rules for gateway ports like this: 8 | 9 | - SG ingress rules: --remote_ip_prefix 0.0.0.0/0 10 | - FW ingress rules: --destination_ip_address 0.0.0.0/0 --action allow 11 | 12 | It only opens ingress traffic for another network to access VM, but the 13 | reply traffic (egress direction) also passes because it matches the 14 | committed conntrack entry. 15 | So it only works well with stateless security groups for VMs. 16 | -------------------------------------------------------------------------------- /releasenotes/notes/validation_if_port_is_supported-639d0df705eb67f9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | Validating if a port is supported by FWaaS V2 4 | fixes: 5 | - | 6 | [`bug 1746855 `__] 7 | Now, FWaaS V2 will validate if a port is supported before adding it 8 | to a FWG. This helps to make sure FWaaS V2 API works as expected. -------------------------------------------------------------------------------- /releasenotes/notes/varmour-fwaas-driver-removal-f7aa304a4544134a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | - The vArmour Firewall Driver is being removed from the FwaaS repo, 4 | as per decision to remove vendor drivers from the community repo. 5 | upgrade: 6 | - The vArmour Firewall Driver will not be available for use in the 7 | Newton release. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/vyatta-fwaas-driver-removal-e38e6ecde5105084.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | prelude: > 3 | - The vyatta Firewall Driver is being removed from the FwaaS repo, 4 | as per decision to remove vendor drivers from the community repo. 5 | upgrade: 6 | - The vyatta Firewall Driver will not be available for use in the 7 | Newton release from the community repo. 8 | -------------------------------------------------------------------------------- /releasenotes/source/2023.1.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2023.1 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/2023.1 7 | -------------------------------------------------------------------------------- /releasenotes/source/2023.2.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2023.2 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2023.2 7 | -------------------------------------------------------------------------------- /releasenotes/source/2024.1.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2024.1 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2024.1 7 | -------------------------------------------------------------------------------- /releasenotes/source/2024.2.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2024.2 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2024.2 7 | -------------------------------------------------------------------------------- /releasenotes/source/2025.1.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | 2025.1 Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/2025.1 7 | -------------------------------------------------------------------------------- /releasenotes/source/_static/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/releasenotes/source/_static/.placeholder -------------------------------------------------------------------------------- /releasenotes/source/_templates/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openstack/neutron-fwaas/001abb4eca104c0178c4b3951b867901e8fb58df/releasenotes/source/_templates/.placeholder -------------------------------------------------------------------------------- /releasenotes/source/index.rst: -------------------------------------------------------------------------------- 1 | ============================= 2 | Neutron FWaaS Release Notes 3 | ============================= 4 | 5 | .. toctree:: 6 | :maxdepth: 1 7 | 8 | unreleased 9 | 2025.1 10 | 2024.2 11 | 2024.1 12 | 2023.2 13 | 2023.1 14 | zed 15 | stein 16 | rocky 17 | queens 18 | pike 19 | ocata 20 | newton 21 | mitaka 22 | liberty 23 | -------------------------------------------------------------------------------- /releasenotes/source/liberty.rst: -------------------------------------------------------------------------------- 1 | ============================== 2 | Liberty Series Release Notes 3 | ============================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/liberty 7 | -------------------------------------------------------------------------------- /releasenotes/source/locale/fr/LC_MESSAGES/releasenotes.po: -------------------------------------------------------------------------------- 1 | # Gérald LONLAS , 2016. #zanata 2 | msgid "" 3 | msgstr "" 4 | "Project-Id-Version: Neutron FWaaS Release Notes 11.0.0\n" 5 | "Report-Msgid-Bugs-To: \n" 6 | "POT-Creation-Date: 2017-08-16 20:31+0000\n" 7 | "MIME-Version: 1.0\n" 8 | "Content-Type: text/plain; charset=UTF-8\n" 9 | "Content-Transfer-Encoding: 8bit\n" 10 | "PO-Revision-Date: 2016-10-22 05:48+0000\n" 11 | "Last-Translator: Gérald LONLAS \n" 12 | "Language-Team: French\n" 13 | "Language: fr\n" 14 | "X-Generator: Zanata 3.9.6\n" 15 | "Plural-Forms: nplurals=2; plural=(n > 1)\n" 16 | 17 | msgid "7.0.2" 18 | msgstr "7.0.2" 19 | 20 | msgid "7.1.1" 21 | msgstr "7.1.1" 22 | 23 | msgid "8.0.0" 24 | msgstr "8.0.0" 25 | 26 | msgid "9.0.0" 27 | msgstr "9.0.0" 28 | 29 | msgid "9.0.0.0b2" 30 | msgstr "9.0.0.0b2" 31 | 32 | msgid "9.0.0.0b3" 33 | msgstr "9.0.0.0b3" 34 | 35 | msgid "9.0.0.0rc1" 36 | msgstr "9.0.0.0rc1" 37 | 38 | msgid "Current Series Release Notes" 39 | msgstr "Note de la release actuelle" 40 | 41 | msgid "Known Issues" 42 | msgstr "Problèmes connus" 43 | 44 | msgid "Liberty Series Release Notes" 45 | msgstr "Note de release pour Liberty" 46 | 47 | msgid "Mitaka Series Release Notes" 48 | msgstr "Note de release pour Mitaka" 49 | 50 | msgid "Neutron FWaaS Release Notes" 51 | msgstr "Note de release de Neutron FWaaS" 52 | 53 | msgid "New Features" 54 | msgstr "Nouvelles fonctionnalités" 55 | 56 | msgid "Newton Series Release Notes" 57 | msgstr "Note de release pour Newton" 58 | 59 | msgid "Other Notes" 60 | msgstr "Autres notes" 61 | 62 | msgid "Start using reno to manage release notes." 63 | msgstr "Commence à utiliser reno pour la gestion des notes de release" 64 | 65 | msgid "Upgrade Notes" 66 | msgstr "Notes de mises à jours" 67 | -------------------------------------------------------------------------------- /releasenotes/source/mitaka.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Mitaka Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/mitaka 7 | -------------------------------------------------------------------------------- /releasenotes/source/newton.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Newton Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/newton 7 | -------------------------------------------------------------------------------- /releasenotes/source/ocata.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Ocata Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/ocata 7 | -------------------------------------------------------------------------------- /releasenotes/source/pike.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Pike Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/pike 7 | -------------------------------------------------------------------------------- /releasenotes/source/queens.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Queens Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/queens 7 | -------------------------------------------------------------------------------- /releasenotes/source/rocky.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Rocky Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/rocky 7 | -------------------------------------------------------------------------------- /releasenotes/source/stein.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Stein Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/stein 7 | -------------------------------------------------------------------------------- /releasenotes/source/unreleased.rst: -------------------------------------------------------------------------------- 1 | ============================== 2 | Current Series Release Notes 3 | ============================== 4 | 5 | .. release-notes:: 6 | -------------------------------------------------------------------------------- /releasenotes/source/zed.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | Zed Series Release Notes 3 | ======================== 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/zed 7 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | # Requirements lower bounds listed here are our best effort to keep them up to 2 | # date but we do not test them so no guarantee of having them all correct. If 3 | # you find any incorrect lower bounds, let us know or propose a fix. 4 | eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT 5 | netaddr>=0.7.18 # BSD 6 | SQLAlchemy>=1.4.23 # MIT 7 | alembic>=1.6.5 # MIT 8 | neutron-lib>=3.6.1 # Apache-2.0 9 | os-ken >= 0.3.0 # Apache-2.0 10 | oslo.concurrency>=3.26.0 # Apache-2.0 11 | oslo.config>=5.2.0 # Apache-2.0 12 | oslo.db>=4.37.0 # Apache-2.0 13 | oslo.log>=3.36.0 # Apache-2.0 14 | oslo.messaging>=5.29.0 # Apache-2.0 15 | oslo.service!=1.28.1,>=1.24.0 # Apache-2.0 16 | oslo.utils>=3.33.0 # Apache-2.0 17 | oslo.privsep>=1.32.0 # Apache-2.0 18 | pyroute2>=0.7.2;sys_platform!='win32' # Apache-2.0 (+ dual licensed GPL2) 19 | neutron>=23.0.0.0b2 # Apache-2.0 20 | pyzmq>=14.3.1 # LGPL+BSD 21 | 22 | # The comment below indicates this project repo is current with neutron-lib 23 | # and should receive neutron-lib consumption patches as they are released 24 | # in neutron-lib. It also implies the project will stay current with TC 25 | # and infra initiatives ensuring consumption patches can land. 26 | # neutron-lib-current 27 | -------------------------------------------------------------------------------- /roles/configure_functional_tests/README.rst: -------------------------------------------------------------------------------- 1 | Configure host to run on it Neutron functional/fullstack tests 2 | 3 | **Role Variables** 4 | 5 | .. zuul:rolevar:: tests_venv 6 | :default: {{ tox_envlist }} 7 | 8 | .. zuul:rolevar:: project_name 9 | :default: neutron 10 | 11 | .. zuul:rolevar:: base_dir 12 | :default: {{ ansible_user_dir }}/src/opendev.org 13 | 14 | .. zuul:rolevar:: gate_dest_dir 15 | :default: {{ base_dir }}/openstack 16 | 17 | .. zuul:rolevar:: devstack_dir 18 | :default: {{ base_dir }}/openstack/devstack 19 | 20 | .. zuul:rolevar:: neutron_dir 21 | :default: {{ gate_dest_dir }}/neutron 22 | 23 | .. zuul:rolevar:: neutron_fwaas_dir 24 | :default: {{ gate_dest_dir }}/neutron-fwaas 25 | -------------------------------------------------------------------------------- /roles/configure_functional_tests/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | tests_venv: "{{ tox_envlist }}" 2 | project_name: "neutron" 3 | base_dir: "{{ ansible_user_dir }}/src/opendev.org" 4 | gate_dest_dir: "{{ base_dir }}/openstack" 5 | devstack_dir: "{{ base_dir }}/openstack/devstack" 6 | neutron_dir: "{{ gate_dest_dir }}/neutron" 7 | neutron_fwaas_dir: "{{ gate_dest_dir }}/neutron-fwaas" 8 | -------------------------------------------------------------------------------- /roles/configure_functional_tests/tasks/main.yaml: -------------------------------------------------------------------------------- 1 | - shell: 2 | cmd: | 3 | set -e 4 | set -x 5 | GATE_STACK_USER={{ ansible_user }} 6 | IS_GATE=True 7 | 8 | BASE_DIR={{ base_dir }} 9 | GATE_DEST={{ gate_dest_dir }} 10 | PROJECT_NAME={{ project_name }} 11 | NEUTRON_PATH={{ neutron_dir }} 12 | NEUTRON_FWAAS_PATH={{ neutron_fwaas_dir }} 13 | DEVSTACK_PATH={{ devstack_dir }} 14 | VENV={{ tests_venv }} 15 | 16 | source $DEVSTACK_PATH/functions 17 | source $DEVSTACK_PATH/lib/neutron_plugins/ovs_source 18 | source $NEUTRON_FWAAS_PATH/tools/configure_for_fwaas_func_testing.sh 19 | 20 | configure_host_for_fwaas_func_testing 21 | executable: /bin/bash 22 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [metadata] 2 | name = neutron-fwaas 3 | summary = OpenStack Networking FWaaS 4 | description_file = 5 | README.rst 6 | author = OpenStack 7 | author_email = openstack-discuss@lists.openstack.org 8 | home_page = https://docs.openstack.org/neutron-fwaas/latest/ 9 | python_requires = >=3.9 10 | classifier = 11 | Environment :: OpenStack 12 | Intended Audience :: Information Technology 13 | Intended Audience :: System Administrators 14 | License :: OSI Approved :: Apache Software License 15 | Operating System :: POSIX :: Linux 16 | Programming Language :: Python 17 | Programming Language :: Python :: 3 18 | Programming Language :: Python :: 3.9 19 | Programming Language :: Python :: 3.10 20 | Programming Language :: Python :: 3.11 21 | Programming Language :: Python :: 3.12 22 | Programming Language :: Python :: 3 :: Only 23 | 24 | [files] 25 | packages = 26 | neutron_fwaas 27 | 28 | data_files = 29 | etc/neutron/rootwrap.d = 30 | etc/neutron/rootwrap.d/fwaas-privsep.filters 31 | 32 | [entry_points] 33 | firewall_drivers = 34 | iptables_v2 = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2:IptablesFwaasDriver 35 | neutron.service_plugins = 36 | firewall_v2 = neutron_fwaas.services.firewall.fwaas_plugin_v2:FirewallPluginV2 37 | 38 | neutron.db.alembic_migrations = 39 | neutron-fwaas = neutron_fwaas.db.migration:alembic_migrations 40 | oslo.config.opts = 41 | neutron.fwaas = neutron_fwaas.opts:list_opts 42 | firewall.agent = neutron_fwaas.opts:list_agent_opts 43 | oslo.policy.policies = 44 | neutron-fwaas = neutron_fwaas.policies:list_rules 45 | neutron.policies = 46 | neutron-fwaas = neutron_fwaas.policies:list_rules 47 | neutron.agent.l2.extensions = 48 | fwaas_v2 = neutron_fwaas.services.firewall.service_drivers.agents.l2.fwaas_v2:FWaaSV2AgentExtension 49 | neutron.agent.l2.firewall_drivers = 50 | noop = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.noop.noop_driver:NoopFirewallL2Driver 51 | ovs = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall:OVSFirewallDriver 52 | neutron.agent.l3.extensions = 53 | fwaas_v2 = neutron_fwaas.services.firewall.service_drivers.agents.l3reference.firewall_l3_agent_v2:L3WithFWaaS 54 | fwaas_v2_log = neutron_fwaas.services.logapi.agents.l3.fwg_log:FWaaSL3LoggingExtension 55 | neutron.agent.l3.firewall_drivers = 56 | conntrack = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.legacy_conntrack:ConntrackLegacy 57 | netlink_conntrack = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.netlink_conntrack:ConntrackNetlink 58 | neutron.services.logapi.drivers = 59 | fwaas_v2_log = neutron_fwaas.services.logapi.agents.drivers.iptables.log:IptablesLoggingDriver 60 | neutron.status.upgrade.checks = 61 | neutron_fwaas = neutron_fwaas.cmd.upgrade_checks.checks:Checks 62 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2013 Hewlett-Packard Development Company, L.P. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 12 | # implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | import setuptools 17 | 18 | 19 | setuptools.setup( 20 | setup_requires=['pbr>=2.0.0'], 21 | pbr=True) 22 | -------------------------------------------------------------------------------- /test-requirements.txt: -------------------------------------------------------------------------------- 1 | hacking>=6.1.0,<6.2.0 # Apache-2.0 2 | 3 | coverage!=4.4,>=4.0 # Apache-2.0 4 | python-subunit>=1.0.0 # Apache-2.0/BSD 5 | requests-mock>=1.2.0 # Apache-2.0 6 | stestr>=1.0.0 # Apache-2.0 7 | testresources>=2.0.0 # Apache-2.0/BSD 8 | testtools>=2.2.0 # MIT 9 | testscenarios>=0.4 # Apache-2.0/BSD 10 | WebOb>=1.8.2 # MIT 11 | WebTest>=2.0.27 # MIT 12 | oslotest>=3.2.0 # Apache-2.0 13 | pylint==2.17.4 # GPLv2 14 | PyMySQL>=0.7.6 # MIT License 15 | psycopg2>=2.7.3 # LGPL/ZPL 16 | ddt>=1.0.1 # MIT 17 | doc8>=0.6.0 # Apache-2.0 18 | Pygments>=2.2.0 # BSD 19 | -------------------------------------------------------------------------------- /tools/check_unit_test_structure.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script identifies the unit test modules that do not correspond 4 | # directly with a module in the code tree. See TESTING.rst for the 5 | # intended structure. 6 | 7 | neutron_path=$(cd "$(dirname "$0")/.." && pwd) 8 | base_test_path=neutron_fwaas/tests/unit 9 | test_path=$neutron_path/$base_test_path 10 | 11 | test_files=$(find ${test_path} -iname 'test_*.py') 12 | 13 | ignore_regexes=( 14 | "^plugins.*$", 15 | "^misc.*$" 16 | ) 17 | 18 | error_count=0 19 | ignore_count=0 20 | total_count=0 21 | for test_file in ${test_files[@]}; do 22 | relative_path=${test_file#$test_path/} 23 | expected_path=$(dirname $neutron_path/neutron_fwaas/$relative_path) 24 | test_filename=$(basename "$test_file") 25 | expected_filename=${test_filename#test_} 26 | # Module filename (e.g. foo/bar.py -> foo/test_bar.py) 27 | filename=$expected_path/$expected_filename 28 | # Package dir (e.g. foo/ -> test_foo.py) 29 | package_dir=${filename%.py} 30 | if [ ! -f "$filename" ] && [ ! -d "$package_dir" ]; then 31 | for ignore_regex in ${ignore_regexes[@]}; do 32 | if [[ "$relative_path" =~ $ignore_regex ]]; then 33 | ((ignore_count++)) 34 | continue 2 35 | fi 36 | done 37 | echo "Unexpected test file: $base_test_path/$relative_path" 38 | ((error_count++)) 39 | fi 40 | ((total_count++)) 41 | done 42 | 43 | if [ "$ignore_count" -ne 0 ]; then 44 | echo "$ignore_count unmatched test modules were ignored" 45 | fi 46 | 47 | if [ "$error_count" -eq 0 ]; then 48 | echo 'Success! All test modules match targets in the code tree.' 49 | exit 0 50 | else 51 | echo "Failure! $error_count of $total_count test modules do not match targets in the code tree." 52 | exit 1 53 | fi 54 | -------------------------------------------------------------------------------- /tools/clean.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | rm -rf ./*.deb ./*.tar.gz ./*.dsc ./*.changes 3 | rm -rf */*.deb 4 | rm -rf ./plugins/**/build/ ./plugins/**/dist 5 | rm -rf ./plugins/**/lib/neutron_*_plugin.egg-info ./plugins/neutron-* 6 | -------------------------------------------------------------------------------- /tools/configure_for_fwaas_func_testing.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | 3 | 4 | IS_GATE=${IS_GATE:-False} 5 | USE_CONSTRAINT_ENV=${USE_CONSTRAINT_ENV:-False} 6 | PROJECT_NAME=${PROJECT_NAME:-neutron-fwaas} 7 | REPO_BASE=${GATE_DEST:-$(cd $(dirname "$BASH_SOURCE")/../.. && pwd)} 8 | 9 | source $REPO_BASE/neutron/tools/configure_for_func_testing.sh 10 | NEUTRON_FWAAS_DIR=$REPO_BASE/neutron-fwaas 11 | source $NEUTRON_FWAAS_DIR/devstack/plugin.sh 12 | 13 | function _install_fw_package { 14 | echo_summary "Installing fw packs" 15 | if is_ubuntu; then 16 | install_package conntrack 17 | else 18 | # EPEL 19 | install_package conntrack-tools 20 | fi 21 | } 22 | 23 | function configure_host_for_fwaas_func_testing { 24 | echo_summary "Configuring for Fwaas functional testing" 25 | if [ "$IS_GATE" == "True" ]; then 26 | configure_host_for_func_testing 27 | fi 28 | _install_fw_package 29 | } 30 | 31 | 32 | if [ "$IS_GATE" != "True" ]; then 33 | configure_host_for_fwaas_func_testing 34 | fi 35 | -------------------------------------------------------------------------------- /tools/deploy_rootwrap.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | set -eu 16 | 17 | if [ "$#" -ne 3 ]; then 18 | >&2 echo "Usage: $0 /path/to/neutron_fwaas /path/to/target/etc /path/to/target/bin 19 | Deploy Neutron FWaaS's rootwrap configuration. 20 | 21 | Warning: Any existing rootwrap files at the specified etc path will be 22 | removed by this script. 23 | 24 | Optional: set OS_SUDO_TESTING=1 to deploy the filters required by 25 | Neutron's functional testing suite." 26 | exit 1 27 | fi 28 | 29 | OS_SUDO_TESTING=${OS_SUDO_TESTING:-0} 30 | 31 | neutron_path=${OS_NEUTRON_PATH} 32 | fwaas_path=$1 33 | target_etc_path=$2 34 | target_bin_path=$3 35 | 36 | src_conf_path=${neutron_path}/etc 37 | src_conf=${src_conf_path}/rootwrap.conf 38 | src_rootwrap_path=${src_conf_path}/neutron/rootwrap.d 39 | 40 | fwaas_src_conf_path=${fwaas_path}/etc 41 | fwaas_src_rootwrap_path=${fwaas_src_conf_path}/neutron/rootwrap.d 42 | 43 | dst_conf_path=${target_etc_path}/neutron 44 | dst_conf=${dst_conf_path}/rootwrap.conf 45 | dst_rootwrap_path=${dst_conf_path}/rootwrap.d 46 | 47 | if [[ -d "$dst_rootwrap_path" ]]; then 48 | rm -rf ${dst_rootwrap_path} 49 | fi 50 | mkdir -p -m 755 ${dst_rootwrap_path} 51 | 52 | cp -p ${src_rootwrap_path}/* ${fwaas_src_rootwrap_path}/* ${dst_rootwrap_path}/ 53 | cp -p ${src_conf} ${dst_conf} 54 | sed -i "s:^filters_path=.*$:filters_path=${dst_rootwrap_path}:" ${dst_conf} 55 | sed -i "s:^\(exec_dirs=.*\)$:\1,${target_bin_path}:" ${dst_conf} 56 | 57 | if [[ "$OS_SUDO_TESTING" = "1" ]]; then 58 | sed -i 's/use_syslog=False/use_syslog=True/g' ${dst_conf} 59 | sed -i 's/syslog_log_level=ERROR/syslog_log_level=DEBUG/g' ${dst_conf} 60 | cp -p ${neutron_path}/neutron/tests/contrib/testing.filters \ 61 | ${dst_rootwrap_path}/ 62 | cp -p ${fwaas_path}/neutron_fwaas/tests/contrib/functional-testing.filters \ 63 | ${dst_rootwrap_path}/ 64 | fi 65 | -------------------------------------------------------------------------------- /tools/generate_config_file_samples.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 | # License for the specific language governing permissions and limitations 13 | # under the License. 14 | 15 | set -e 16 | 17 | GEN_CMD=oslo-config-generator 18 | 19 | if ! type "$GEN_CMD" > /dev/null; then 20 | echo "ERROR: $GEN_CMD not installed on the system." 21 | exit 1 22 | fi 23 | 24 | for file in `ls etc/oslo-config-generator/*`; do 25 | $GEN_CMD --config-file=$file 26 | done 27 | 28 | set -x 29 | --------------------------------------------------------------------------------