From 0433d0846e548f38b0511e17014d67f692bd947e Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 13 Feb 2025 00:35:23 +0900 Subject: [PATCH] Replace remaining ovsfw constants The constants were added to neutron-lib by [1] to replace existing constants about ovs firewall. [1] 231067cabadb91eb40e44202b4f55785d5c7afe1 Change-Id: Idda072a6bd498651840e580a48af16f08ca0ab2c --- .../linux/openvswitch_firewall/constants.py | 5 --- .../linux/openvswitch_firewall/firewall.py | 42 ++++++++++--------- .../agent/linux/openvswitch_firewall/rules.py | 9 ++-- .../openvswitch_firewall/test_firewall.py | 31 +++++++------- .../linux/openvswitch_firewall/test_rules.py | 3 +- 5 files changed, 46 insertions(+), 44 deletions(-) diff --git a/neutron/agent/linux/openvswitch_firewall/constants.py b/neutron/agent/linux/openvswitch_firewall/constants.py index 2bc7e71dd3a..ab33ea73408 100644 --- a/neutron/agent/linux/openvswitch_firewall/constants.py +++ b/neutron/agent/linux/openvswitch_firewall/constants.py @@ -31,11 +31,6 @@ OF_STATE_NOT_REPLY_NOT_NEW = "-new-rpl" CT_MARK_NORMAL = '0x0' CT_MARK_INVALID = '0x1' -REG_PORT = 5 -REG_NET = 6 -# for logging remote group rule -REG_REMOTE_GROUP = 7 - PROTOCOLS_WITH_PORTS = (constants.PROTO_NAME_SCTP, constants.PROTO_NAME_TCP, constants.PROTO_NAME_UDP) diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index b0b10dfa153..2f0cfb5e004 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -21,6 +21,7 @@ import re import eventlet import netaddr +from neutron_lib.agent.common import constants as agent_consts from neutron_lib.callbacks import events as callbacks_events from neutron_lib.callbacks import registry as callbacks_registry from neutron_lib.callbacks import resources as callbacks_resources @@ -67,10 +68,13 @@ def _replace_register(flow_params, register_number, register_value): def create_reg_numbers(flow_params): """Replace reg_(port|net) values with defined register numbers""" - _replace_register(flow_params, ovsfw_consts.REG_PORT, 'reg_port') - _replace_register(flow_params, ovsfw_consts.REG_NET, 'reg_net') _replace_register( - flow_params, ovsfw_consts.REG_REMOTE_GROUP, 'reg_remote_group') + flow_params, agent_consts.REG_PORT, agent_consts.PORT_REG_NAME) + _replace_register( + flow_params, agent_consts.REG_NET, agent_consts.NET_REG_NAME) + _replace_register( + flow_params, agent_consts.REG_REMOTE_GROUP, + agent_consts.REMOTE_GROUP_REG_NAME) def get_segmentation_id_from_other_config(bridge, port_name): @@ -910,10 +914,10 @@ class OVSFirewallDriver(firewall.FirewallDriver): actions = ('set_field:{:d}->reg{:d},' 'set_field:{:d}->reg{:d},').format( ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, # This always needs the local vlan. local_vlan, - ovsfw_consts.REG_NET) + agent_consts.REG_NET) if network_type == lib_const.TYPE_VLAN: actions += 'strip_vlan,resubmit(,{:d})'.format( ovs_consts.BASE_INGRESS_TABLE) @@ -962,9 +966,9 @@ class OVSFirewallDriver(firewall.FirewallDriver): 'set_field:{:d}->reg{:d},' 'resubmit(,{:d})'.format( port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, port.vlan_tag, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.BASE_EGRESS_TABLE) ) @@ -984,9 +988,9 @@ class OVSFirewallDriver(firewall.FirewallDriver): 'set_field:{:d}->reg{:d},' 'strip_vlan,resubmit(,{:d})'.format( port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, port.vlan_tag, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.BASE_INGRESS_TABLE), ) @@ -1051,9 +1055,9 @@ class OVSFirewallDriver(firewall.FirewallDriver): 'set_field:%d->reg%d,' 'resubmit(,%d)' % ( ovs_port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, vlan_tag, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.ACCEPT_OR_INGRESS_TABLE) ) self._add_flow( @@ -1131,7 +1135,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): nw_src=ip_addr, actions='ct(table={:d},zone=NXM_NX_REG{:d}[0..15])'.format( ovs_consts.RULES_EGRESS_TABLE, - ovsfw_consts.REG_NET) + agent_consts.REG_NET) ) # Apply mac/ip pairs for IPv6 @@ -1149,7 +1153,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ipv6_src=ip_addr, actions='ct(table={:d},zone=NXM_NX_REG{:d}[0..15])'.format( ovs_consts.RULES_EGRESS_TABLE, - ovsfw_consts.REG_NET) + agent_consts.REG_NET) ) # DHCP discovery @@ -1237,7 +1241,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): reg_net=port.vlan_tag, actions='set_field:{:d}->reg{:d},resubmit(,{:d})'.format( port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, ovs_consts.BASE_INGRESS_TABLE), ) for ethertype in [lib_const.ETHERTYPE_IP, lib_const.ETHERTYPE_IPV6]: @@ -1249,7 +1253,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),' 'resubmit(,{:d})'.format( - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) ) self._add_flow( @@ -1392,7 +1396,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=ovsfw_consts.OF_STATE_ESTABLISHED, actions="ct(commit,zone=NXM_NX_REG{:d}[0..15]," "exec(set_field:{:s}->ct_mark))".format( - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovsfw_consts.CT_MARK_INVALID) ) @@ -1459,7 +1463,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=ovsfw_consts.OF_STATE_NOT_TRACKED, actions='ct(table={:d},zone=NXM_NX_REG{:d}[0..15])'.format( ovs_consts.RULES_INGRESS_TABLE, - ovsfw_consts.REG_NET) + agent_consts.REG_NET) ) self._add_flow( table=ovs_consts.BASE_INGRESS_TABLE, @@ -1527,7 +1531,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=ovsfw_consts.OF_STATE_ESTABLISHED, actions="ct(commit,zone=NXM_NX_REG{:d}[0..15]," "exec(set_field:{:s}->ct_mark))".format( - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovsfw_consts.CT_MARK_INVALID) ) @@ -1597,7 +1601,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): port, conj_id, direction, ethertype): flow['actions'] = "set_field:{:d}->reg{:d},{:s}".format( flow['conj_id'], - ovsfw_consts.REG_REMOTE_GROUP, + agent_consts.REG_REMOTE_GROUP, flow['actions'] ) self._add_flow(**flow) diff --git a/neutron/agent/linux/openvswitch_firewall/rules.py b/neutron/agent/linux/openvswitch_firewall/rules.py index 66e4e700c20..6fa2878155f 100644 --- a/neutron/agent/linux/openvswitch_firewall/rules.py +++ b/neutron/agent/linux/openvswitch_firewall/rules.py @@ -16,6 +16,7 @@ import collections import netaddr +from neutron_lib.agent.common import constants as agent_consts from neutron_lib import constants as n_consts from neutron_lib.plugins.ml2 import ovs_constants as ovs_consts @@ -188,7 +189,7 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False): flow_template = { 'priority': 70 + flow_priority_offset(rule, conjunction), 'dl_type': ovsfw_consts.ethertype_to_dl_type_map[ethertype], - 'reg_port': port.ofport, + agent_consts.PORT_REG_NAME: port.ofport, } if is_valid_prefix(dst_ip_prefix): @@ -312,7 +313,7 @@ def create_flows_for_ip_address_and_mac(ip_address, mac_address, direction, flow_template = { 'dl_type': ovsfw_consts.ethertype_to_dl_type_map[ethertype], - 'reg_net': vlan_tag, # needed for project separation + agent_consts.NET_REG_NAME: vlan_tag, # needed for project separation } ip_ver = utils.get_ip_version(ip_prefix) @@ -348,7 +349,7 @@ def create_accept_flows(flow): flow['actions'] = ( 'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},' 'resubmit(,{:d})'.format( - ovsfw_consts.REG_NET, flow['actions'], + agent_consts.REG_NET, flow['actions'], ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) ) result.append(flow) @@ -379,7 +380,7 @@ def create_conj_flows(port, conj_id, direction, ethertype): # The matching is redundant as it has been done by # conjunction(...,2/2) flows and flows can be summarized # without this. - 'reg_port': port.ofport, + agent_consts.PORT_REG_NAME: port.ofport, } flow_template = populate_flow_common(direction, flow_template, port) flows = create_accept_flows(flow_template) diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py index f2346daec38..eca3ee2acf4 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py @@ -14,6 +14,7 @@ from unittest import mock +from neutron_lib.agent.common import constants as agent_consts from neutron_lib.callbacks import events as callbacks_events from neutron_lib.callbacks import registry as callbacks_registry from neutron_lib.callbacks import resources as callbacks_resources @@ -96,9 +97,9 @@ class TestCreateRegNumbers(base.BaseTestCase): flow = {'foo': 'bar', 'reg_port': 1, 'reg_net': 2, 'reg_remote_group': 3} expected_flow = {'foo': 'bar', - f'reg{ovsfw_consts.REG_PORT:d}': 1, - f'reg{ovsfw_consts.REG_NET:d}': 2, - f'reg{ovsfw_consts.REG_REMOTE_GROUP:d}': 3} + f'reg{agent_consts.REG_PORT:d}': 1, + f'reg{agent_consts.REG_NET:d}': 2, + f'reg{agent_consts.REG_REMOTE_GROUP:d}': 3} ovsfw.create_reg_numbers(flow) self.assertEqual(expected_flow, flow) @@ -594,8 +595,8 @@ class TestOVSFirewallDriver(base.BaseTestCase): def test__add_flow_registers_are_replaced(self): self.firewall._add_flow(in_port=1, reg_port=1, reg_net=2) expected_calls = {'in_port': 1, - f'reg{ovsfw_consts.REG_PORT:d}': 1, - f'reg{ovsfw_consts.REG_NET:d}': 2} + f'reg{agent_consts.REG_PORT:d}': 1, + f'reg{agent_consts.REG_NET:d}': 2} self.mock_bridge.br.add_flow.assert_called_once_with( **expected_calls) @@ -789,9 +790,9 @@ class TestOVSFirewallDriver(base.BaseTestCase): 'set_field:{:d}->reg{:d},' 'resubmit(,{:d})'.format( port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, port.vlan_tag, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.BASE_EGRESS_TABLE)} expected_calls.append(mock.call(**call_args1)) @@ -805,9 +806,9 @@ class TestOVSFirewallDriver(base.BaseTestCase): 'set_field:{:d}->reg{:d},' 'strip_vlan,resubmit(,{:d})'.format( port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, port.vlan_tag, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.BASE_INGRESS_TABLE)} expected_calls.append(mock.call(**call_args2)) @@ -821,9 +822,9 @@ class TestOVSFirewallDriver(base.BaseTestCase): 'set_field:{:d}->reg{:d},' 'resubmit(,{:d})'.format( port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, port.vlan_tag, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.BASE_INGRESS_TABLE)} expected_calls.append(mock.call(**call_args2)) @@ -836,9 +837,9 @@ class TestOVSFirewallDriver(base.BaseTestCase): 'set_field:{:d}->reg{:d},' 'strip_vlan,resubmit(,{:d})'.format( port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, port.vlan_tag, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.BASE_INGRESS_TABLE)} expected_calls.append(mock.call(**call_args3)) self.mock_bridge.br.add_flow.assert_has_calls(expected_calls) @@ -1117,9 +1118,9 @@ class TestOVSFirewallDriver(base.BaseTestCase): 'set_field:%d->reg%d,' 'resubmit(,%d)' % ( self.fake_ovs_port.ofport, - ovsfw_consts.REG_PORT, + agent_consts.REG_PORT, TESTING_VLAN_TAG, - ovsfw_consts.REG_NET, + agent_consts.REG_NET, ovs_consts.ACCEPT_OR_INGRESS_TABLE) ) calls = self.mock_bridge.br.add_flow.call_args_list diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py index 16d4cd9cc9c..f287e1ce308 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py @@ -14,6 +14,7 @@ from unittest import mock +from neutron_lib.agent.common import constants as agent_consts from neutron_lib import constants from neutron_lib.plugins.ml2 import ovs_constants as ovs_consts @@ -395,7 +396,7 @@ class TestCreateConjFlows(base.BaseTestCase): flows[0]['actions']) self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}," "resubmit(,{:d})".format( - ovsfw_consts.REG_NET, flows[0]['actions'], + agent_consts.REG_NET, flows[0]['actions'], ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), flows[1]['actions'])