Implement neutron firewall v2

Closes-Bug: #1719775 Depends-On: I76803f0f81260129a242e31e81f4f956c5a44ef9 Change-Id: I675c486dda17ce5d6d5a9f665ade904f42d06611

Implement neutron firewall v2
068a45e3 · Jeffrey Zhang · 558953c8 · 068a45e3 · 068a45e3 · 068a45e3
Commit 068a45e3 authored 7 years ago by Jeffrey Zhang
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -206,6 +206,9 @@ neutron_bgp_dragent_image_full: "{{ neutron_bgp_dragent_image }}:{{ neutron_bgp_
 dhcp_agents_per_network: 2
 max_l3_agents_per_router: 3

+# valid value is: ["v1", "v2"]
+neutron_fwaas_version: "v1"
+
 neutron_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ neutron_server_port }}"
 neutron_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ neutron_server_port }}"
 neutron_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ neutron_server_port }}"
@@ -234,7 +237,9 @@ neutron_extension_drivers: "{{ extension_drivers|selectattr('enabled', 'equalto'
 ####################
 service_plugins:
  - name: "firewall"
-    enabled: "{{ enable_neutron_fwaas | bool }}"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v1' }}"
+  - name: "firewall_v2"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v2' }}"
  - name: "flow_classifier"
    enabled: "{{ enable_neutron_sfc | bool }}"
  - name: "lbaasv2"
@@ -278,6 +283,14 @@ agent_extensions:

 neutron_agent_extensions: "{{ agent_extensions | selectattr('enabled', 'equalto', true) | list }}"

+l3_agent_extensions:
+  - name: "fwaas"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v1' }}"
+  - name: "fwaas_v2"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v2' }}"
+
+neutron_l3_agent_extensions: "{{ l3_agent_extensions | selectattr('enabled', 'equalto', true) | list }}"
+
 ####################
 # VMware NSXV
 ####################

--- a/ansible/roles/neutron/templates/fwaas_driver.ini.j2
+++ b/ansible/roles/neutron/templates/fwaas_driver.ini.j2
@@ -4,7 +4,13 @@ enabled = True
 {% if neutron_plugin_agent == 'vmware_nsxv' %}
 driver = vmware_nsxv_edge
 {% else %}
+{% if neutron_fwaas_version == 'v1' %}
+agent_version = v1
 driver = iptables
+{% elif neutron_fwaas_version == 'v2' %}
+agent_version = v2
+driver = iptables_v2
+{% endif %}

 [service_providers]
 service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default

--- a/ansible/roles/neutron/templates/l3_agent.ini.j2
+++ b/ansible/roles/neutron/templates/l3_agent.ini.j2
@@ -12,9 +12,9 @@ agent_mode = legacy
 {% if enable_neutron_agent_ha | bool %}
 ha_vrrp_health_check_interval = 5
 {% endif %}
-{% if enable_neutron_fwaas | bool %}
 [agent]
-extensions = fwaas
+{% if neutron_l3_agent_extensions %}
+extensions = "{{ neutron_l3_agent_extensions|map(attribute='name')|join(',') }}"
 {% endif %}

 [ovs]