openstack-neutron: 2014.2-42.eayunstack.dev

packaging/openstack-neutron/0089-Fix-errors-in-lbaas-L7-policy-implemetation.patch

@@ -0,0 +1,42 @@
+From 5eba9bb33fe64268951cd749296c176676c0ab0e Mon Sep 17 00:00:00 2001
+From: Hunt Xu <[email protected]>
+Date: Tue, 7 Mar 2017 10:10:02 +0800
+Subject: [PATCH 89/89] Fix errors in lbaas L7 policy implemetation
+
+Fixes: 67091dd5a ("Implement lbaas L7 policy rule model")
+
+Signed-off-by: Hunt Xu <[email protected]>
+---
+ .../alembic_migrations/versions/222931b3859d_add_lbaas_l7_tables.py     | 2 +-
+ neutron/extensions/loadbalancer_l7.py                                   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/neutron/db/migration/alembic_migrations/versions/222931b3859d_add_lbaas_l7_tables.py b/neutron/db/migration/alembic_migrations/versions/222931b3859d_add_lbaas_l7_tables.py
+index b517e3c0e..5c4a547d6 100644
+--- a/neutron/db/migration/alembic_migrations/versions/222931b3859d_add_lbaas_l7_tables.py
++++ b/neutron/db/migration/alembic_migrations/versions/222931b3859d_add_lbaas_l7_tables.py
+@@ -38,7 +38,7 @@ def upgrade():
+         'l7policies',
+         sa.Column('tenant_id', sa.String(length=255), nullable=False),
+         sa.Column('id', sa.String(length=36), nullable=False),
+-        sa.Column('pool_id', sa.String(length=36), nullable=False),
++        sa.Column('pool_id', sa.String(length=36), nullable=True),
+         sa.Column('priority', sa.Integer, nullable=False),
+         sa.Column('action', sa.Enum(*actions), nullable=False),
+         sa.Column('key', sa.String(length=255), nullable=True),
+diff --git a/neutron/extensions/loadbalancer_l7.py b/neutron/extensions/loadbalancer_l7.py
+index 909f1b25b..57aa51202 100644
+--- a/neutron/extensions/loadbalancer_l7.py
++++ b/neutron/extensions/loadbalancer_l7.py
+@@ -230,7 +230,7 @@ class Loadbalancer_l7(extensions.ExtensionDescriptor):
+         return resources
+
+     def update_attributes_map(self, attributes):
+-        super(Loadbalancer, self).update_attributes_map(
++        super(Loadbalancer_l7, self).update_attributes_map(
+             attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP)
+
+     def get_extended_resources(self, version):
+-- 
+2.12.0
+

packaging/openstack-neutron/0090-iptables_firewall-use-wrap-chains-and-rules-for-mete.patch

@@ -0,0 +1,121 @@
+From 9c324b301aa51bbea0860643202ccd7b85f78da7 Mon Sep 17 00:00:00 2001
+From: Hunt Xu <[email protected]>
+Date: Thu, 9 Mar 2017 12:04:21 +0800
+Subject: [PATCH 90/94] iptables_firewall: use wrap chains and rules for
+ metering
+
+Non-wrap chains/rules may cause problems.
+
+Fixes: redmine #9154
+Fixes: deaf40836 ("iptables_firewall: add firewall rules to meter instance
+port stats")
+
+Signed-off-by: Hunt Xu <[email protected]>
+---
+ neutron/agent/linux/iptables_firewall.py | 44 ++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 25 deletions(-)
+
+diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
+index e0a1da757..c755cb99b 100644
+--- a/neutron/agent/linux/iptables_firewall.py
++++ b/neutron/agent/linux/iptables_firewall.py
+@@ -185,46 +185,40 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
+         # Only support IPv4
+         chains = self._metering_chain_names(port, direction)
+         for m_chain_name in chains:
+-            self.iptables.ipv4['filter'].add_chain(m_chain_name, wrap=False)
++            self.iptables.ipv4['filter'].add_chain(m_chain_name)
+
+         metering_chain, counting_in_chain, counting_chain = chains
+         # Jump to the original security group chain
+-        orig_chain_name = self.iptables.ipv4['filter']._wrap_target_chain(
+-            '$' + chain_name, True)
+-        jump_rule = '-j %s' % orig_chain_name
+-        self.iptables.ipv4['filter'].add_rule(metering_chain, jump_rule,
+-                                              wrap=False)
++        jump_rule = '-j $%s' % chain_name
++        self.iptables.ipv4['filter'].add_rule(metering_chain, jump_rule)
++
+         # Jump to the counting chains
+         counting_rules = []
+         tmp_direction = IPSET_DIRECTION[direction]
+         if self.enable_ipset:
+             counting_rules += [
+-                '-m set --match-set %s %s -j %s' % (
++                '-m set --match-set %s %s -j $%s' % (
+                     PRIVATE_IPSET_NAME, tmp_direction, counting_in_chain
+                 )
+             ]
+         else:
+             counting_rules += [
+-                '--%s %s -j %s' % (
++                '--%s %s -j $%s' % (
+                     tmp_direction, private_net, counting_in_chain
+                 )
+                 for private_net in self.private_nets
+             ]
+-        counting_rules += ['-j %s' % counting_chain]
++        counting_rules += ['-j $%s' % counting_chain]
+         for rule in counting_rules:
+-            self.iptables.ipv4['filter'].add_rule(metering_chain, rule,
+-                                                  wrap=False)
++            self.iptables.ipv4['filter'].add_rule(metering_chain, rule)
+         # Count the counting chain
+-        self.iptables.ipv4['filter'].add_rule(counting_in_chain, '',
+-                                              wrap=False)
+-        self.iptables.ipv4['filter'].add_rule(counting_chain, '',
+-                                              wrap=False)
++        self.iptables.ipv4['filter'].add_rule(counting_in_chain, '')
++        self.iptables.ipv4['filter'].add_rule(counting_chain, '')
+         return metering_chain
+
+     def _remove_metering_chains(self, port, direction):
+         for m_chain_name in self._metering_chain_names(port, direction):
+-            self.iptables.ipv4['filter'].ensure_remove_chain(
+-                m_chain_name, wrap=False)
++            self.iptables.ipv4['filter'].ensure_remove_chain(m_chain_name)
+
+     def _add_chain(self, port, direction):
+         chain_name = self._port_chain_name(port, direction)
+@@ -247,10 +241,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
+
+         # jump to the chain based on the device
+         jump_rules = [
+-            ['-m physdev --%s %s --physdev-is-bridged -j %s' % (
++            ['-m physdev --%s %s --physdev-is-bridged -j $%s' % (
+                 self.IPTABLES_DIRECTION[direction], device, j_chain_name)
+             ]
+-            for j_chain_name in (metering_chain_name, '$' + chain_name)]
++            for j_chain_name in (metering_chain_name, chain_name)]
+         self._add_rule_to_chain_v4v6(SG_CHAIN, *jump_rules)
+
+         if direction == EGRESS_DIRECTION:
+@@ -573,9 +567,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
+     def _metering_chain_names(self, port, direction):
+         return [
+             iptables_manager.get_chain_name(
+-                '%s%s' % (prefix + direction + '-', port['device'][3:]),
+-                wrap=False
+-            ) for prefix in ('metering-', 'counting-in-', 'counting-')]
++                '%s%s%s' % (
++                    prefix, CHAIN_NAME_PREFIX[direction], port['device'][3:])
++            ) for prefix in ('m', 'c', 'C')]
+
+     def filter_defer_apply_on(self):
+         if not self._defer_apply:
+@@ -637,9 +631,9 @@ class OVSHybridIptablesFirewallDriver(IptablesFirewallDriver):
+     def _metering_chain_names(self, port, direction):
+         return [
+             iptables_manager.get_chain_name(
+-                '%s%s' % (prefix + direction + '-', port['device']),
+-                wrap=False
+-            ) for prefix in ('metering-', 'counting-in-', 'counting-')]
++                '%s%s%s' % (
++                    prefix, CHAIN_NAME_PREFIX[direction], port['device'])
++            ) for prefix in ('m', 'c', 'C')]
+
+     def _get_device_name(self, port):
+         return (self.OVS_HYBRID_TAP_PREFIX + port['device'])[:LINUX_DEV_LEN]
+-- 
+2.12.1
+

packaging/openstack-neutron/0091-firewall_l3_agent-only-get-hosted-routers-info.patch

@@ -0,0 +1,37 @@
+From 003a20ecc07831fc2f3059e9cb8d76d2108851d8 Mon Sep 17 00:00:00 2001
+From: Hunt Xu <[email protected]>
+Date: Fri, 10 Mar 2017 10:02:18 +0800
+Subject: [PATCH 91/94] firewall_l3_agent: only get hosted routers' info
+
+Fixes: redmine #9588
+
+Signed-off-by: Hunt Xu <[email protected]>
+---
+ .../services/firewall/agents/l3reference/firewall_l3_agent.py | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/neutron/services/firewall/agents/l3reference/firewall_l3_agent.py b/neutron/services/firewall/agents/l3reference/firewall_l3_agent.py
+index 0d994ef5a..bedabe2bc 100644
+--- a/neutron/services/firewall/agents/l3reference/firewall_l3_agent.py
++++ b/neutron/services/firewall/agents/l3reference/firewall_l3_agent.py
+@@ -119,10 +119,13 @@ class FWaaSL3AgentRpcCallback(api.FWaaSAgentRpcCallbackMixin):
+         LOG.debug(_("%(func_name)s from agent for fw: %(fwid)s"),
+                   {'func_name': func_name, 'fwid': fw['id']})
+         try:
+-            routers = self.plugin_rpc.get_routers(context)
+-            router_info_list = self._get_router_info_list_for_tenant(
+-                routers,
+-                fw['tenant_id'])
++            router_ids = self.router_info.keys()
++            router_info_list = []
++            if router_ids:
++                routers = self.plugin_rpc.get_routers(context, router_ids)
++                router_info_list = self._get_router_info_list_for_tenant(
++                    routers,
++                    fw['tenant_id'])
+             if not router_info_list:
+                 LOG.debug(_('No Routers on tenant: %s'), fw['tenant_id'])
+                 # fw was created before any routers were added, and if a
+-- 
+2.12.1
+

packaging/openstack-neutron/0092-metering-update-external-device-of-metering-iptables.patch

@@ -0,0 +1,43 @@
+From 1e238adafcad8e91c2080a95a0d5d3b97a39befd Mon Sep 17 00:00:00 2001
+From: Hunt Xu <[email protected]>
+Date: Thu, 16 Mar 2017 14:07:57 +0800
+Subject: [PATCH 92/94] metering: update external device of metering iptables
+ rules
+
+This is required by the new mechanism introduced in commit ec41bdd6f (
+"l3_agent: implement EayunStack floating ip mechanism"). There will be
+multiple neutron ports connected to the external network in a router
+with the new mechanism. So neutron-metering iptables rules should handle
+those ports of floatingips as well.
+
+Fixes: redmine #9641
+
+Signed-off-by: Hunt Xu <[email protected]>
+---
+ neutron/services/metering/drivers/iptables/iptables_driver.py | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/neutron/services/metering/drivers/iptables/iptables_driver.py b/neutron/services/metering/drivers/iptables/iptables_driver.py
+index 9137530bf..1610bbe71 100644
+--- a/neutron/services/metering/drivers/iptables/iptables_driver.py
++++ b/neutron/services/metering/drivers/iptables/iptables_driver.py
+@@ -133,15 +133,12 @@ class IptablesMeteringDriver(abstract_driver.MeteringAbstractDriver):
+         if router_id in self.routers:
+             del self.routers[router_id]
+
+-    def get_external_device_name(self, port_id):
+-        return (EXTERNAL_DEV_PREFIX + port_id)[:self.driver.DEV_NAME_LEN]
+-
+     def _process_metering_label_rules(self, rm, rules, label_chain,
+                                       rules_chain):
+         im = rm.iptables_manager
+         if not rm.router['gw_port_id']:
+             return
+-        ext_dev = self.get_external_device_name(rm.router['gw_port_id'])
++        ext_dev = "%s+" % EXTERNAL_DEV_PREFIX
+
+         for rule in rules:
+             remote_ip = rule['remote_ip_prefix']
+-- 
+2.12.1
+