upstream/oracle/userland-gate: comparison components/openstack/neutron/files/agent/evs_l3

equal deleted inserted replaced

-:a477397bba8b
+:c9748fcc32de
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 # Copyright 2012 VMware, Inc.  All rights reserved.
 #
-# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 import errno
 import netaddr
 from oslo.config import cfg
+from oslo_log import log as logging
-from neutron.agent.common import config
-from neutron.agent import l3_agent
+from neutron.agent.l3 import agent as l3_agent
-from neutron.agent.linux import external_process
+from neutron.agent.l3 import router_info as router
 from neutron.agent.linux import utils
 from neutron.agent.solaris import interface
+from neutron.agent.solaris import ipfilters_manager
 from neutron.agent.solaris import net_lib
 from neutron.agent.solaris import ra
+from neutron.callbacks import events
+from neutron.callbacks import registry
+from neutron.callbacks import resources
 from neutron.common import constants as l3_constants
+from neutron.common import exceptions as n_exc
 from neutron.common import utils as common_utils
-from neutron.openstack.common import log as logging
+from oslo_utils import importutils
+from oslo_log import log as logging
+import neutron_vpnaas.services.vpn.agent as neutron_vpnaas
+from neutron_vpnaas.extensions import vpnaas
+from neutron_vpnaas.services.vpn import vpn_service
 LOG = logging.getLogger(__name__)
 INTERNAL_DEV_PREFIX = 'l3i'
 EXTERNAL_DEV_PREFIX = 'l3e'
 FLOATING_IP_CIDR_SUFFIX = '/32'
-class EVSL3NATAgent(l3_agent.L3NATAgentWithStateReport):
+class SolarisRouterInfo(router.RouterInfo):
-OPTS = [
-cfg.StrOpt('external_network_datalink', default='net0',
+def __init__(self, router_id, router, agent_conf, interface_driver,
-help=_("Name of the datalink that connects to "
+use_ipv6=False):
-"an external network.")),
+super(SolarisRouterInfo, self).__init__(router_id, router, agent_conf,
-cfg.BoolOpt('allow_forwarding_between_networks', default=False,
+interface_driver, use_ipv6)
-help=_("Allow forwarding of packets between tenant's "
+self.ipfilters_manager = ipfilters_manager.IPfiltersManager()
-"networks")),
+self.iptables_manager = None
-]
+self.remove_route = False
-def __init__(self, host, conf=None):
+def initialize(self, process_monitor):
-cfg.CONF.register_opts(self.OPTS)
+"""Initialize the router on the system.
-cfg.CONF.register_opts(interface.OPTS)
-super(EVSL3NATAgent, self).__init__(host=host, conf=conf)
+This differs from __init__ in that this method actually affects the
+system creating namespaces, starting processes, etc.  The other merely
-def _router_added(self, router_id, router):
+initializes the python object.  This separates in-memory object
-ri = l3_agent.RouterInfo(router_id, None,
+initialization from methods that actually go do stuff to the system.
-self.conf.use_namespaces, router)
-self.router_info[router_id] = ri
+:param process_monitor: The agent's process monitor instance.
-if self.conf.enable_metadata_proxy:
-self._spawn_metadata_proxy(ri.router_id, ri.ns_name)
-def _router_removed(self, router_id):
-ri = self.router_info.get(router_id)
-if ri is None:
-LOG.warn(_("Info for router %s were not found. "
-"Skipping router removal"), router_id)
-return
-ri.router['gw_port'] = None
-ri.router[l3_constants.INTERFACE_KEY] = []
-ri.router[l3_constants.FLOATINGIP_KEY] = []
-self.process_router(ri)
-if self.conf.enable_metadata_proxy:
-self._destroy_metadata_proxy(ri.router_id, ri.ns_name)
-del self.router_info[router_id]
-def _get_metadata_proxy_process_manager(self, router_id, ns_name):
-return external_process.ProcessManager(
-self.conf,
-router_id,
-root_helper=None,
-namespace=ns_name)
-def _get_metadata_proxy_callback(self, router_id):
-"""Need to override this since we need to pass the absolute
-path to neutron-ns-metadata-proxy binary.
 """
-def callback(pid_file):
+self.process_monitor = process_monitor
-metadata_proxy_socket = cfg.CONF.metadata_proxy_socket
+self.radvd = ra.NDPD(self.router_id, self.get_internal_device_name)
-proxy_cmd = ['/usr/lib/neutron/neutron-ns-metadata-proxy',
-'--pid_file=%s' % pid_file,
+def get_internal_device_name(self, port_id):
-'--metadata_proxy_socket=%s' % metadata_proxy_socket,
+# Because of the way how dnsmasq works on Solaris, the length
-'--router_id=%s' % router_id,
+# of datalink name cannot exceed 16 (includes terminating nul
-'--state_path=%s' % self.conf.state_path,
+# character). So, the linkname can only have 15 characters and
-'--metadata_port=%s' % self.conf.metadata_port]
+# the last two characters are set aside for '_0'. So, we only
-proxy_cmd.extend(config.get_log_args(
+# have 13 characters left.
-cfg.CONF, 'neutron-ns-metadata-proxy-%s.log' %
+dname = (INTERNAL_DEV_PREFIX + port_id)[:13]
-router_id))
+dname += '_0'
-return proxy_cmd
+return dname.replace('-', '_')
-return callback
+def get_external_device_name(self, port_id):
+# please see the comment above
-def external_gateway_snat_rules(self, ex_gw_ip, internal_cidrs,
+dname = (EXTERNAL_DEV_PREFIX + port_id)[:13]
-interface_name):
+dname += '_0'
-rules = []
+return dname.replace('-', '_')
-for cidr in internal_cidrs:
-rules.append('map %s %s -> %s/32' %
+def routes_updated(self):
-(interface_name, cidr, ex_gw_ip))
+pass
-return rules
+def _get_existing_devices(self):
-def _handle_router_snat_rules(self, ri, ex_gw_port, internal_cidrs,
+return net_lib.Datalink.show_link()
-interface_name, action):
-assert not ri.router['distributed']
+def internal_network_added(self, port):
+internal_dlname = self.get_internal_device_name(port['id'])
-# Remove all the old SNAT rules
+# driver just returns if datalink and IP interface already exists
-# This is safe because if use_namespaces is set as False
+self.driver.plug(port['tenant_id'], port['network_id'], port['id'],
-# then the agent can only configure one router, otherwise
+internal_dlname)
-# each router's SNAT rules will be in their own namespace
+ip_cidrs = common_utils.fixed_ip_cidrs(port['fixed_ips'])
+self.driver.init_l3(internal_dlname, ip_cidrs)
-# get only the SNAT rules
-old_snat_rules = [rule for rule in ri.ipfilters_manager.ipv4['nat']
+# Since we support shared router model, we need to block the new
-if rule.startswith('map')]
+# internal port from reaching other tenant's ports
-ri.ipfilters_manager.remove_nat_rules(old_snat_rules)
+block_pname = self._get_ippool_name(port['mac_address'])
+self.ipfilters_manager.add_ippool(block_pname, None)
-# And add them back if the action is add_rules
+if self.agent_conf.allow_forwarding_between_networks:
-if action == 'add_rules' and ex_gw_port:
+# If allow_forwarding_between_networks is set, then we need to
-# NAT rules are added only if ex_gw_port has an IPv4 address
+# allow forwarding of packets between same tenant's ports.
-for ip_addr in ex_gw_port['fixed_ips']:
+allow_pname = self._get_ippool_name(port['mac_address'], '0')
-ex_gw_ip = ip_addr['ip_address']
+self.ipfilters_manager.add_ippool(allow_pname, None)
-if netaddr.IPAddress(ex_gw_ip).version == 4:
-rules = self.external_gateway_snat_rules(ex_gw_ip,
+# walk through the other internal ports and retrieve their
-internal_cidrs,
+# cidrs and at the same time add the new internal port's
-interface_name)
+# cidr to them
-ri.ipfilters_manager.add_nat_rules(rules)
+port_subnet = port['subnets'][0]['cidr']
-break
+block_subnets = []
+allow_subnets = []
-@common_utils.exception_logger()
+for internal_port in self.internal_ports:
-def process_router(self, ri):
+if internal_port['mac_address'] == port['mac_address']:
-# TODO(mrsmith) - we shouldn't need to check here
+continue
-if 'distributed' not in ri.router:
+if (self.agent_conf.allow_forwarding_between_networks and
-ri.router['distributed'] = False
+internal_port['tenant_id'] == port['tenant_id']):
-ex_gw_port = self._get_ex_gw_port(ri)
+allow_subnets.append(internal_port['subnets'][0]['cidr'])
-internal_ports = ri.router.get(l3_constants.INTERFACE_KEY, [])
+# we need to add the port's subnet to this internal_port's
-existing_port_ids = set([p['id'] for p in ri.internal_ports])
+# allowed_subnet_pool
+iport_allow_pname = \
+self._get_ippool_name(internal_port['mac_address'], '0')
+self.ipfilters_manager.add_ippool(iport_allow_pname,
+[port_subnet])
+else:
+block_subnets.append(internal_port['subnets'][0]['cidr'])
+iport_block_pname = \
+self._get_ippool_name(internal_port['mac_address'])
+self.ipfilters_manager.add_ippool(iport_block_pname,
+[port_subnet])
+# update the new port's pool with other ports' subnet
+self.ipfilters_manager.add_ippool(block_pname, block_subnets)
+if self.agent_conf.allow_forwarding_between_networks:
+self.ipfilters_manager.add_ippool(allow_pname, allow_subnets)
+# now setup the IPF rules
+rules = ['block in quick on %s from %s to pool/%d' %
+(internal_dlname, port_subnet, block_pname)]
+# pass in packets between networks that belong to same tenant
+if self.agent_conf.allow_forwarding_between_networks:
+rules.append('pass in quick on %s from %s to pool/%d' %
+(internal_dlname, port_subnet, allow_pname))
+# if the external gateway is already setup for the shared router,
+# then we need to add Policy Based Routing (PBR) for this internal
+# network
+ex_gw_port = self.ex_gw_port
+ex_gw_ip = (ex_gw_port['subnets'][0]['gateway_ip']
+if ex_gw_port else None)
+if ex_gw_ip:
+external_dlname = self.get_external_device_name(ex_gw_port['id'])
+rules.append('pass in on %s to %s:%s from any to !%s' %
+(internal_dlname, external_dlname, ex_gw_ip,
+port_subnet))
+ipversion = netaddr.IPNetwork(port_subnet).version
+self.ipfilters_manager.add_ipf_rules(rules, ipversion)
+if self.agent_conf.enable_metadata_proxy and ipversion == 4:
+rdr_rule = ['rdr %s 169.254.169.254/32 port 80 -> %s port %d tcp' %
+(internal_dlname, port['fixed_ips'][0]['ip_address'],
+self.agent_conf.metadata_port)]
+self.ipfilters_manager.add_nat_rules(rdr_rule)
+def internal_network_removed(self, port):
+internal_dlname = self.get_internal_device_name(port['id'])
+port_subnet = port['subnets'][0]['cidr']
+# remove all the IP filter rules that we added during
+# internal network addition
+block_pname = self._get_ippool_name(port['mac_address'])
+rules = ['block in quick on %s from %s to pool/%d' %
+(internal_dlname, port_subnet, block_pname)]
+if self.agent_conf.allow_forwarding_between_networks:
+allow_pname = self._get_ippool_name(port['mac_address'], '0')
+rules.append('pass in quick on %s from %s to pool/%d' %
+(internal_dlname, port_subnet, allow_pname))
+# remove all the IP filter rules that we added during
+# external network addition
+ex_gw_port = self.ex_gw_port
+ex_gw_ip = (ex_gw_port['subnets'][0]['gateway_ip']
+if ex_gw_port else None)
+if ex_gw_ip:
+external_dlname = self.get_external_device_name(ex_gw_port['id'])
+rules.append('pass in on %s to %s:%s from any to !%s' %
+(internal_dlname, external_dlname, ex_gw_ip,
+port_subnet))
+ipversion = netaddr.IPNetwork(port['subnets'][0]['cidr']).version
+self.ipfilters_manager.remove_ipf_rules(rules, ipversion)
+# remove the ippool
+self.ipfilters_manager.remove_ippool(block_pname, None)
+if self.agent_conf.allow_forwarding_between_networks:
+self.ipfilters_manager.remove_ippool(allow_pname, None)
+for internal_port in self.internal_ports:
+if (self.agent_conf.allow_forwarding_between_networks and
+internal_port['tenant_id'] == port['tenant_id']):
+iport_allow_pname = \
+self._get_ippool_name(internal_port['mac_address'], '0')
+self.ipfilters_manager.remove_ippool(iport_allow_pname,
+[port_subnet])
+else:
+iport_block_pname = \
+self._get_ippool_name(internal_port['mac_address'])
+self.ipfilters_manager.remove_ippool(iport_block_pname,
+[port_subnet])
+if self.agent_conf.enable_metadata_proxy and ipversion == 4:
+rdr_rule = ['rdr %s 169.254.169.254/32 port 80 -> %s port %d tcp' %
+(internal_dlname, port['fixed_ips'][0]['ip_address'],
+self.agent_conf.metadata_port)]
+self.ipfilters_manager.remove_nat_rules(rdr_rule)
+if net_lib.Datalink.datalink_exists(internal_dlname):
+self.driver.fini_l3(internal_dlname)
+self.driver.unplug(internal_dlname)
+def _process_internal_ports(self):
+existing_port_ids = set([p['id'] for p in self.internal_ports])
+internal_ports = self.router.get(l3_constants.INTERFACE_KEY, [])
 current_port_ids = set([p['id'] for p in internal_ports
 if p['admin_state_up']])
-new_ports = [p for p in internal_ports if
-p['id'] in current_port_ids and
+new_port_ids = current_port_ids - existing_port_ids
-p['id'] not in existing_port_ids]
+new_ports = [p for p in internal_ports if p['id'] in new_port_ids]
-old_ports = [p for p in ri.internal_ports if
+old_ports = [p for p in self.internal_ports if
 p['id'] not in current_port_ids]
-new_ipv6_port = False
+#         updated_ports = self._get_updated_ports(self.internal_ports,
-old_ipv6_port = False
+#                                                 internal_ports)
+enable_ra = False
 for p in new_ports:
-self._set_subnet_info(p)
+self.internal_network_added(p)
-self.internal_network_added(ri, p)
+self.internal_ports.append(p)
-ri.internal_ports.append(p)
+enable_ra = enable_ra or self._port_has_ipv6_subnet(p)
-if (not new_ipv6_port and
-netaddr.IPNetwork(p['subnet']['cidr']).version == 6):
-new_ipv6_port = True
 for p in old_ports:
-self.internal_network_removed(ri, p)
+self.internal_network_removed(p)
-ri.internal_ports.remove(p)
+self.internal_ports.remove(p)
-if (not old_ipv6_port and
+enable_ra = enable_ra or self._port_has_ipv6_subnet(p)
-netaddr.IPNetwork(p['subnet']['cidr']).version == 6):
-old_ipv6_port = True
+#         if updated_ports:
+#             for index, p in enumerate(internal_ports):
-if new_ipv6_port or old_ipv6_port:
+#                 if not updated_ports.get(p['id']):
-# refresh ndpd daemon after filling in ndpd.conf
+#                     continue
-# with the right entries
+#                 self.internal_ports[index] = updated_ports[p['id']]
-ra.enable_ipv6_ra(ri.router_id,
+#                 interface_name = self.get_internal_device_name(p['id'])
-internal_ports,
+#                 ip_cidrs = common_utils.fixed_ip_cidrs(p['fixed_ips'])
-self.get_internal_device_name)
+#                 self.driver.init_l3(interface_name, ip_cidrs=ip_cidrs,
+#                         namespace=self.ns_name)
+#                 enable_ra = enable_ra or self._port_has_ipv6_subnet(p)
+# Enable RA
+if enable_ra:
+self.radvd.enable(internal_ports)
 # remove any internal stale router interfaces (i.e., l3i.. VNICs)
-existing_devices = net_lib.Datalink.show_vnic()
+existing_devices = self._get_existing_devices()
-current_internal_devs = set([n for n in existing_devices
+current_internal_devs = set(n for n in existing_devices
-if n.startswith(INTERNAL_DEV_PREFIX)])
+if n.startswith(INTERNAL_DEV_PREFIX))
-current_port_devs = set([self.get_internal_device_name(id) for
+current_port_devs = set(self.get_internal_device_name(port_id)
-id in current_port_ids])
+for port_id in current_port_ids)
 stale_devs = current_internal_devs - current_port_devs
 for stale_dev in stale_devs:
 LOG.debug(_('Deleting stale internal router device: %s'),
 stale_dev)
 self.driver.fini_l3(stale_dev)
 self.driver.unplug(stale_dev)
-# TODO(salv-orlando): RouterInfo would be a better place for
+def _get_ippool_name(self, mac_address, suffix=None):
-# this logic too
+# Generate a unique-name for ippool(1m) from that last 3
-ex_gw_port_id = (ex_gw_port and ex_gw_port['id'] or
+# bytes of mac-address. It is called pool name, but it is
-ri.ex_gw_port and ri.ex_gw_port['id'])
+# actually a 32 bit integer
+name = mac_address.split(':')[3:]
-interface_name = None
+if suffix:
-if ex_gw_port_id:
+name.append(suffix)
-interface_name = self.get_external_device_name(ex_gw_port_id)
+return int("".join(name), 16)
-if ex_gw_port:
-def _gateway_ports_equal(port1, port2):
+def process_floating_ip_addresses(self, interface_name):
-def _get_filtered_dict(d, ignore):
+"""Configure IP addresses on router's external gateway interface.
-return dict((k, v) for k, v in d.iteritems()
-if k not in ignore)
+Ensures addresses for existing floating IPs and cleans up
+those that should not longer be configured.
-keys_to_ignore = set(['binding:host_id'])
+"""
-port1_filtered = _get_filtered_dict(port1, keys_to_ignore)
-port2_filtered = _get_filtered_dict(port2, keys_to_ignore)
-return port1_filtered == port2_filtered
-self._set_subnet_info(ex_gw_port)
-if not ri.ex_gw_port:
-self.external_gateway_added(ri, ex_gw_port, interface_name)
-elif not _gateway_ports_equal(ex_gw_port, ri.ex_gw_port):
-self.external_gateway_updated(ri, ex_gw_port, interface_name)
-elif not ex_gw_port and ri.ex_gw_port:
-self.external_gateway_removed(ri, ri.ex_gw_port, interface_name)
-# Remove any external stale router interfaces (i.e., l3e.. VNICs)
-stale_devs = [dev for dev in existing_devices
-if dev.startswith(EXTERNAL_DEV_PREFIX)
-and dev != interface_name]
-for stale_dev in stale_devs:
-LOG.debug(_('Deleting stale external router device: %s'),
-stale_dev)
-self.driver.fini_l3(stale_dev)
-self.driver.unplug(stale_dev)
-# Process static routes for router
-self.routes_updated(ri)
-# Process SNAT rules for external gateway
-if (not ri.router['distributed'] or
-ex_gw_port and self.get_gw_port_host(ri.router) == self.host):
-# Get IPv4 only internal CIDRs
-internal_cidrs = [p['ip_cidr'] for p in ri.internal_ports
-if netaddr.IPNetwork(p['ip_cidr']).version == 4]
-ri.perform_snat_action(self._handle_router_snat_rules,
-internal_cidrs, interface_name)
-# Process SNAT/DNAT rules for floating IPs
 fip_statuses = {}
-if ex_gw_port:
+if interface_name is None:
-existing_floating_ips = ri.floating_ips
+LOG.debug('No Interface for floating IPs router: %s',
-fip_statuses = self.process_router_floating_ips(ri, ex_gw_port)
+self.router['id'])
-# Identify floating IPs which were disabled
+return fip_statuses
-ri.floating_ips = set(fip_statuses.keys())
-for fip_id in existing_floating_ips - ri.floating_ips:
+ipintf = net_lib.IPInterface(interface_name)
-fip_statuses[fip_id] = l3_constants.FLOATINGIP_STATUS_DOWN
-# Update floating IP status on the neutron server
-self.plugin_rpc.update_floatingip_statuses(
-self.context, ri.router_id, fip_statuses)
-# Update ex_gw_port and enable_snat on the router info cache
-ri.ex_gw_port = ex_gw_port
-ri.enable_snat = ri.router.get('enable_snat')
-def process_router_floating_ips(self, ri, ex_gw_port):
-"""Configure the router's floating IPs
-Configures floating ips using ipnat(1m) on the router's gateway device.
-Cleans up floating ips that should not longer be configured.
-"""
-ifname = self.get_external_device_name(ex_gw_port['id'])
-ipintf = net_lib.IPInterface(ifname)
 ipaddr_list = ipintf.ipaddr_list()['static']
 existing_cidrs = set(ipaddr_list)
 new_cidrs = set()
 existing_nat_rules = [nat_rule for nat_rule in
-ri.ipfilters_manager.ipv4['nat']]
+self.ipfilters_manager.ipv4['nat']]
 new_nat_rules = []
+floating_ips = self.get_floating_ips()
 # Loop once to ensure that floating ips are configured.
-fip_statuses = {}
+for fip in floating_ips:
-for fip in ri.router.get(l3_constants.FLOATINGIP_KEY, []):
 fip_ip = fip['floating_ip_address']
 fip_cidr = str(fip_ip) + FLOATING_IP_CIDR_SUFFIX
 new_cidrs.add(fip_cidr)
 fixed_cidr = str(fip['fixed_ip_address']) + '/32'
-nat_rule = 'bimap %s %s -> %s' % (ifname, fixed_cidr, fip_cidr)
+nat_rule = 'bimap %s %s -> %s' % (interface_name, fixed_cidr,
+fip_cidr)
 if fip_cidr not in existing_cidrs:
 try:
 ipintf.create_address(fip_cidr)
-ri.ipfilters_manager.add_nat_rules([nat_rule])
+self.ipfilters_manager.add_nat_rules([nat_rule])
 except Exception as err:
 # TODO(gmoodalb): If we fail in add_nat_rules(), then
 # we need to remove the fip_cidr address
 # any exception occurred here should cause the floating IP
 LOG.warn(_("Unable to configure IP address for "
 "floating IP: %s: %s") % (fip['id'], err))
 continue
 fip_statuses[fip['id']] = (
 l3_constants.FLOATINGIP_STATUS_ACTIVE)
+LOG.debug("Floating ip %(id)s added, status %(status)s",
+{'id': fip['id'],
+'status': fip_statuses.get(fip['id'])})
 new_nat_rules.append(nat_rule)
 # remove all the old NAT rules
 old_nat_rules = list(set(existing_nat_rules) - set(new_nat_rules))
 # Filter out 'bimap' NAT rules as we don't want to remove NAT rules
 # that were added for Metadata server
 old_nat_rules = [rule for rule in old_nat_rules if "bimap" in rule]
-ri.ipfilters_manager.remove_nat_rules(old_nat_rules)
+self.ipfilters_manager.remove_nat_rules(old_nat_rules)
 # Clean up addresses that no longer belong on the gateway interface.
 for ip_cidr in existing_cidrs - new_cidrs:
 if ip_cidr.endswith(FLOATING_IP_CIDR_SUFFIX):
 ipintf.delete_address(ip_cidr)
 return fip_statuses
-def get_internal_device_name(self, port_id):
+# Todo(gmoodalb): need to do more work on ipv6 gateway
-# Because of the way how dnsmasq works on Solaris, the length
+def external_gateway_added(self, ex_gw_port, external_dlname):
-# of datalink name cannot exceed 16 (includes terminating nul
-# character). So, the linkname can only have 15 characters and
-# the last two characters are set aside for '_0'. So, we only
-# have 13 characters left.
-dname = (INTERNAL_DEV_PREFIX + port_id)[:13]
-dname += '_0'
-return dname.replace('-', '_')
-def get_external_device_name(self, port_id):
-# please see the comment above
-dname = (EXTERNAL_DEV_PREFIX + port_id)[:13]
-dname += '_0'
-return dname.replace('-', '_')
-def external_gateway_added(self, ri, ex_gw_port, external_dlname):
 if not net_lib.Datalink.datalink_exists(external_dlname):
 dl = net_lib.Datalink(external_dlname)
 # determine the network type of the external network
 evsname = ex_gw_port['network_id']
 LOG.error(_("External network should be either Flat or "
 "VLAN based, and it is required to "
 "create an external gateway port"))
 return
 elif (l2type == 'vlan' and
-self.conf.get("external_network_datalink", None)):
+self.agent_conf.get("external_network_datalink", None)):
 LOG.warning(_("external_network_datalink is deprecated in "
 "Juno and will be removed in the next release "
 "of Solaris OpenStack. Please use the evsadm "
 "set-controlprop subcommand to setup the "
 "uplink-port for an external network"))
 # proceed with the old-style of doing things
 mac_address = ex_gw_port['mac_address']
-dl.create_vnic(self.conf.external_network_datalink,
+dl.create_vnic(self.agent_conf.external_network_datalink,
 mac_address=mac_address, vid=vid)
 else:
-# This is to handle HA by Solaris Cluster and is similar to
+self.driver.plug(ex_gw_port['tenant_id'],
-# the code we already have for the DHCP Agent. So, when
+ex_gw_port['network_id'],
-# the 1st L3 agent is down and the second L3 agent tries to
+ex_gw_port['id'], external_dlname)
-# connect its VNIC to EVS, we will end up in "vport in use"
-# error. So, we need to reset the vport before we connect
+ip_cidrs = common_utils.fixed_ip_cidrs(ex_gw_port['fixed_ips'])
-# the VNIC to EVS.
+self.driver.init_l3(external_dlname, ip_cidrs)
-cmd = ['/usr/sbin/evsadm', 'show-vport', '-f',
-'vport=%s' % ex_gw_port['id'], '-co',
+gw_ip = ex_gw_port['subnets'][0]['gateway_ip']
-'evs,vport,status']
-stdout = utils.execute(cmd)
-evsname, vportname, status = stdout.strip().split(':')
-tenant_id = ex_gw_port['tenant_id']
-if status == 'used':
-cmd = ['/usr/sbin/evsadm', 'reset-vport', '-T', tenant_id,
-'%s/%s' % (evsname, vportname)]
-utils.execute(cmd)
-# next remove protection setting on the VPort to allow
-# multiple floating IPs to be configured on the l3e*
-# interface
-evsvport = "%s/%s" % (ex_gw_port['network_id'],
-ex_gw_port['id'])
-cmd = ['/usr/sbin/evsadm', 'set-vportprop', '-T',
-tenant_id, '-p', 'protection=none', evsvport]
-utils.execute(cmd)
-dl.connect_vnic(evsvport, tenant_id)
-self.driver.init_l3(external_dlname, [ex_gw_port['ip_cidr']])
-# TODO(gmoodalb): wrap route(1m) command within a class in net_lib.py
-gw_ip = ex_gw_port['subnet']['gateway_ip']
 if gw_ip:
 cmd = ['/usr/bin/pfexec', '/usr/sbin/route', 'add', 'default',
 gw_ip]
 stdout = utils.execute(cmd, extra_ok_codes=[errno.EEXIST])
-ri.remove_route = True
+if 'entry exists' not in stdout:
-if 'entry exists' in stdout:
+self.remove_route = True
-ri.remove_route = False
 # for each of the internal ports, add Policy Based
 # Routing (PBR) rule
-for port in ri.internal_ports:
+for port in self.internal_ports:
 internal_dlname = self.get_internal_device_name(port['id'])
 rules = ['pass in on %s to %s:%s from any to !%s' %
 (internal_dlname, external_dlname, gw_ip,
-port['subnet']['cidr'])]
+port['subnets'][0]['cidr'])]
-ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version
+ipversion = \
-ri.ipfilters_manager.add_ipf_rules(rules, ipversion)
+netaddr.IPNetwork(port['subnets'][0]['cidr']).version
+self.ipfilters_manager.add_ipf_rules(rules, ipversion)
-def external_gateway_updated(self, ri, ex_gw_port, external_dlname):
+def external_gateway_updated(self, ex_gw_port, external_dlname):
 # There is nothing to do on Solaris
 pass
-def external_gateway_removed(self, ri, ex_gw_port, external_dlname):
+def external_gateway_removed(self, ex_gw_port, external_dlname):
-gw_ip = ex_gw_port['subnet']['gateway_ip']
+gw_ip = ex_gw_port['subnets'][0]['gateway_ip']
 if gw_ip:
 # remove PBR rules
-for port in ri.internal_ports:
+for port in self.internal_ports:
 internal_dlname = self.get_internal_device_name(port['id'])
 rules = ['pass in on %s to %s:%s from any to !%s' %
 (internal_dlname, external_dlname, gw_ip,
-port['subnet']['cidr'])]
+port['subnets'][0]['cidr'])]
-ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version
+ipversion = \
-ri.ipfilters_manager.remove_ipf_rules(rules, ipversion)
+netaddr.IPNetwork(port['subnets'][0]['cidr']).version
+self.ipfilters_manager.remove_ipf_rules(rules, ipversion)
-if ri.remove_route:
+if self.remove_route:
 cmd = ['/usr/bin/pfexec', '/usr/sbin/route', 'delete',
 'default', gw_ip]
 utils.execute(cmd, check_exit_code=False)
 if net_lib.Datalink.datalink_exists(external_dlname):
 self.driver.fini_l3(external_dlname)
 self.driver.unplug(external_dlname)
-# remove the EVS VPort associated with external network
+def _process_external_gateway(self, ex_gw_port):
-cmd = ['/usr/sbin/evsadm', 'remove-vport',
+# TODO(Carl) Refactor to clarify roles of ex_gw_port vs self.ex_gw_port
-'-T', ex_gw_port['tenant_id'],
+ex_gw_port_id = (ex_gw_port and ex_gw_port['id'] or
-'%s/%s' % (ex_gw_port['network_id'], ex_gw_port['id'])]
+self.ex_gw_port and self.ex_gw_port['id'])
+interface_name = None
+if ex_gw_port_id:
+interface_name = self.get_external_device_name(ex_gw_port_id)
+if ex_gw_port:
+def _gateway_ports_equal(port1, port2):
+def _get_filtered_dict(d, ignore):
+return dict((k, v) for k, v in d.iteritems()
+if k not in ignore)
+keys_to_ignore = set(['binding:host_id'])
+port1_filtered = _get_filtered_dict(port1, keys_to_ignore)
+port2_filtered = _get_filtered_dict(port2, keys_to_ignore)
+return port1_filtered == port2_filtered
+if not self.ex_gw_port:
+self.external_gateway_added(ex_gw_port, interface_name)
+elif not _gateway_ports_equal(ex_gw_port, self.ex_gw_port):
+self.external_gateway_updated(ex_gw_port, interface_name)
+elif not ex_gw_port and self.ex_gw_port:
+self.external_gateway_removed(self.ex_gw_port, interface_name)
+# Remove any external stale router interfaces (i.e., l3e.. VNICs)
+existing_devices = self._get_existing_devices()
+stale_devs = [dev for dev in existing_devices
+if dev.startswith(EXTERNAL_DEV_PREFIX) and
+dev != interface_name]
+for stale_dev in stale_devs:
+LOG.debug(_('Deleting stale external router device: %s'),
+stale_dev)
+self.driver.fini_l3(stale_dev)
+self.driver.unplug(stale_dev)
+# Process SNAT rules for external gateway
+self.perform_snat_action(self._handle_router_snat_rules,
+interface_name)
+def external_gateway_snat_rules(self, ex_gw_ip, interface_name):
+rules = []
+ip_cidrs = []
+for port in self.internal_ports:
+if netaddr.IPNetwork(port['subnets'][0]['cidr']).version == 4:
+ip_cidrs.extend(common_utils.fixed_ip_cidrs(port['fixed_ips']))
+for ip_cidr in ip_cidrs:
+rules.append('map %s %s -> %s/32' %
+(interface_name, ip_cidr, ex_gw_ip))
+return rules
+def _handle_router_snat_rules(self, ex_gw_port, interface_name, action):
+# Remove all the old SNAT rules
+# This is safe because if use_namespaces is set as False
+# then the agent can only configure one router, otherwise
+# each router's SNAT rules will be in their own namespace
+# get only the SNAT rules
+old_snat_rules = [rule for rule in self.ipfilters_manager.ipv4['nat']
+if rule.startswith('map')]
+self.ipfilters_manager.remove_nat_rules(old_snat_rules)
+# And add them back if the action is add_rules
+if action == 'add_rules' and ex_gw_port:
+# NAT rules are added only if ex_gw_port has an IPv4 address
+for ip_addr in ex_gw_port['fixed_ips']:
+ex_gw_ip = ip_addr['ip_address']
+if netaddr.IPAddress(ex_gw_ip).version == 4:
+rules = self.external_gateway_snat_rules(ex_gw_ip,
+interface_name)
+self.ipfilters_manager.add_nat_rules(rules)
+break
+def process_external(self, agent):
+existing_floating_ips = self.floating_ips
 try:
-utils.execute(cmd)
+ex_gw_port = self.get_ex_gw_port()
-except Exception as err:
+self._process_external_gateway(ex_gw_port)
-LOG.error(_("Failed to delete the EVS VPort associated with "
+# TODO(Carl) Return after setting existing_floating_ips and
-"external network: %s") % err)
+# still call update_fip_statuses?
+if not ex_gw_port:
-def _get_ippool_name(self, mac_address, suffix=None):
+return
-# Generate a unique-name for ippool(1m) from that last 3
-# bytes of mac-address. It is called pool name, but it is
+# Once NAT rules for floating IPs are safely in place
-# actually a 32 bit integer
+# configure their addresses on the external gateway port
-name = mac_address.split(':')[3:]
+interface_name = self.get_external_device_name(ex_gw_port['id'])
-if suffix:
+fip_statuses = self.configure_fip_addresses(interface_name)
-name.append(suffix)
+except (n_exc.FloatingIpSetupException,
-return int("".join(name), 16)
+n_exc.IpTablesApplyException) as e:
+# All floating IPs must be put in error state
-def internal_network_added(self, ri, port):
+LOG.exception(e)
-internal_dlname = self.get_internal_device_name(port['id'])
+fip_statuses = self.put_fips_in_error_state()
-# driver just returns if datalink and IP interface already exists
-self.driver.plug(port['tenant_id'], port['network_id'], port['id'],
+agent.update_fip_statuses(self, existing_floating_ips, fip_statuses)
-internal_dlname)
-self.driver.init_l3(internal_dlname, [port['ip_cidr']])
+class EVSL3NATAgent(l3_agent.L3NATAgentWithStateReport):
-# Since we support shared router model, we need to block the new
+OPTS = [
-# internal port from reaching other tenant's ports
+cfg.StrOpt('external_network_datalink', default='net0',
-block_pname = self._get_ippool_name(port['mac_address'])
+help=_("Name of the datalink that connects to "
-ri.ipfilters_manager.add_ippool(block_pname, None)
+"an external network.")),
-if self.conf.allow_forwarding_between_networks:
+cfg.BoolOpt('allow_forwarding_between_networks', default=False,
-# If allow_forwarding_between_networks is set, then we need to
+help=_("Allow forwarding of packets between tenant's "
-# allow forwarding of packets between same tenant's ports.
+"networks")),
-allow_pname = self._get_ippool_name(port['mac_address'], '0')
+]
-ri.ipfilters_manager.add_ippool(allow_pname, None)
+def __init__(self, host, conf=None):
-# walk through the other internal ports and retrieve their
+cfg.CONF.register_opts(self.OPTS)
-# cidrs and at the same time add the new internal port's
+cfg.CONF.register_opts(interface.OPTS)
-# cidr to them
+super(EVSL3NATAgent, self).__init__(host=host, conf=conf)
-port_subnet = port['subnet']['cidr']
+cfg.CONF.register_opts(neutron_vpnaas.vpn_agent_opts, 'vpnagent')
-block_subnets = []
+self.service = vpn_service.VPNService(self)
-allow_subnets = []
+self.device_drivers = self.service.load_device_drivers(host)
-for internal_port in ri.internal_ports:
-if internal_port['mac_address'] == port['mac_address']:
+def _router_added(self, router_id, router):
-continue
+args = []
-if (self.conf.allow_forwarding_between_networks and
+kwargs = {
-internal_port['tenant_id'] == port['tenant_id']):
+'router_id': router_id,
-allow_subnets.append(internal_port['subnet']['cidr'])
+'router': router,
-# we need to add the port's subnet to this internal_port's
+'use_ipv6': self.use_ipv6,
-# allowed_subnet_pool
+'agent_conf': self.conf,
-iport_allow_pname = \
+'interface_driver': self.driver,
-self._get_ippool_name(internal_port['mac_address'], '0')
+}
-ri.ipfilters_manager.add_ippool(iport_allow_pname,
+ri = SolarisRouterInfo(*args, **kwargs)
-[port_subnet])
+registry.notify(resources.ROUTER, events.BEFORE_CREATE,
-else:
+self, router=ri)
-block_subnets.append(internal_port['subnet']['cidr'])
-iport_block_pname = \
+self.router_info[router_id] = ri
-self._get_ippool_name(internal_port['mac_address'])
-ri.ipfilters_manager.add_ippool(iport_block_pname,
+ri.initialize(self.process_monitor)
-[port_subnet])
-# update the new port's pool with other ports' subnet
-ri.ipfilters_manager.add_ippool(block_pname, block_subnets)
-if self.conf.allow_forwarding_between_networks:
-ri.ipfilters_manager.add_ippool(allow_pname, allow_subnets)
-# now setup the IPF rules
-rules = ['block in quick on %s from %s to pool/%d' %
-(internal_dlname, port_subnet, block_pname)]
-# pass in packets between networks that belong to same tenant
-if self.conf.allow_forwarding_between_networks:
-rules.append('pass in quick on %s from %s to pool/%d' %
-(internal_dlname, port_subnet, allow_pname))
-# if the external gateway is already setup for the shared router,
-# then we need to add Policy Based Routing (PBR) for this internal
-# network
-ex_gw_port = ri.ex_gw_port
-ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None)
-if ex_gw_ip:
-external_dlname = self.get_external_device_name(ex_gw_port['id'])
-rules.append('pass in on %s to %s:%s from any to !%s' %
-(internal_dlname, external_dlname, ex_gw_ip,
-port_subnet))
-ipversion = netaddr.IPNetwork(port_subnet).version
-ri.ipfilters_manager.add_ipf_rules(rules, ipversion)
-# if metadata proxy is enabled, then add the necessary
-# IP NAT rules to forward the metadata requests to the
-# metadata proxy server
-if self.conf.enable_metadata_proxy and ipversion == 4:
-# TODO(gmoodalb): when IP Filter allows redirection of packets
-# to loopback IP address, then we need to add an IPF rule allowing
-# only packets destined to 127.0.0.1:9697 to
-# neutron-ns-metadata-proxy server
-rules = ['rdr %s 169.254.169.254/32 port 80 -> %s port %d tcp' %
-(internal_dlname, port['fixed_ips'][0]['ip_address'],
-self.conf.metadata_port)]
-ri.ipfilters_manager.add_nat_rules(rules)
-def internal_network_removed(self, ri, port):
-internal_dlname = self.get_internal_device_name(port['id'])
-port_subnet = port['subnet']['cidr']
-# remove all the IP filter rules that we added during
-# internal network addition
-block_pname = self._get_ippool_name(port['mac_address'])
-rules = ['block in quick on %s from %s to pool/%d' %
-(internal_dlname, port_subnet, block_pname)]
-if self.conf.allow_forwarding_between_networks:
-allow_pname = self._get_ippool_name(port['mac_address'], '0')
-rules.append('pass in quick on %s from %s to pool/%d' %
-(internal_dlname, port_subnet, allow_pname))
-# remove all the IP filter rules that we added during
-# external network addition
-ex_gw_port = ri.ex_gw_port
-ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None)
-if ex_gw_ip:
-external_dlname = self.get_external_device_name(ex_gw_port['id'])
-rules.append('pass in on %s to %s:%s from any to !%s' %
-(internal_dlname, external_dlname, ex_gw_ip,
-port_subnet))
-ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version
-ri.ipfilters_manager.remove_ipf_rules(rules, ipversion)
-# remove the ippool
-ri.ipfilters_manager.remove_ippool(block_pname, None)
-if self.conf.allow_forwarding_between_networks:
-ri.ipfilters_manager.remove_ippool(allow_pname, None)
-for internal_port in ri.internal_ports:
-if (self.conf.allow_forwarding_between_networks and
-internal_port['tenant_id'] == port['tenant_id']):
-iport_allow_pname = \
-self._get_ippool_name(internal_port['mac_address'], '0')
-ri.ipfilters_manager.remove_ippool(iport_allow_pname,
-[port_subnet])
-else:
-iport_block_pname = \
-self._get_ippool_name(internal_port['mac_address'])
-ri.ipfilters_manager.remove_ippool(iport_block_pname,
-[port_subnet])
-# if metadata proxy is enabled, then remove the IP NAT rules that
-# were added while adding the internal network
-if self.conf.enable_metadata_proxy and ipversion == 4:
-rules = ['rdr %s 169.254.169.254/32 port 80 -> %s port %d tcp' %
-(internal_dlname, port['fixed_ips'][0]['ip_address'],
-self.conf.metadata_port)]
-ri.ipfilters_manager.remove_nat_rules(rules)
-if net_lib.Datalink.datalink_exists(internal_dlname):
-self.driver.fini_l3(internal_dlname)
-self.driver.unplug(internal_dlname)
-# remove the EVS VPort associated with internal network
-cmd = ['/usr/sbin/evsadm', 'remove-vport', '-T', port['tenant_id'],
-'%s/%s' % (port['network_id'], port['id'])]
-try:
-utils.execute(cmd)
-except Exception as err:
-LOG.error(_("Failed to delete the EVS VPort associated with "
-"internal network: %s") % err)
-def routes_updated(self, ri):
-pass

branch	s11u3-sru
changeset 6035	c9748fcc32de
parent 4647	f1f27134bd1c
child 6444	bf62eba2612a