[FWaaS] Update icmp_reachability_test for OVN backend
FWaaS is using stateless ACL rules in OVN when OVN driver is used. That
means that traffic for both directions needs to be allowed explicitely
always.
This patch adjusts
fwaas.scenario.test_fwaas_v2.TestFWaaS_v2.test_icmp_reachability_scenarios
test so that in the 3rd step it allows ICMP traffic in both directions
and test is passing.
This patch also adds new config option `driver` in the `fwaas` group.
This option can be used to tell Tempest what FWaaS driver is used in the
deployment so that appropriate test path can be choosen.
Change-Id: I4f238300069df4777245bb64f83824ea36296cc7
diff --git a/neutron_tempest_plugin/config.py b/neutron_tempest_plugin/config.py
index 7880eff..38d6ac6 100644
--- a/neutron_tempest_plugin/config.py
+++ b/neutron_tempest_plugin/config.py
@@ -207,6 +207,10 @@
deprecated_for_removal=True,
deprecated_reason='Tests are skipped according to '
'the available extensions.'),
+ cfg.StrOpt('driver',
+ default=None,
+ choices=['openvswitch', 'ovn'],
+ help='Driver used by the FWaaS plugin.'),
]
fwaas_group = cfg.OptGroup(
diff --git a/neutron_tempest_plugin/fwaas/scenario/test_fwaas_v2.py b/neutron_tempest_plugin/fwaas/scenario/test_fwaas_v2.py
index 8468671..6af27fc 100644
--- a/neutron_tempest_plugin/fwaas/scenario/test_fwaas_v2.py
+++ b/neutron_tempest_plugin/fwaas/scenario/test_fwaas_v2.py
@@ -269,12 +269,11 @@
# Scenario 3: Create a rule allowing ICMP only from server_fixed_ip_1
# to server_fixed_ip_2 and check that traffic from opposite direction
- # is blocked.
+ # is blocked (for ovs driver where rules are stateful).
fw_allow_unidirectional_icmp_rule = self.create_firewall_rule(
action="allow", protocol="icmp",
source_ip_address=topology['server_fixed_ip_1'],
destination_ip_address=topology['server_fixed_ip_2'])
-
self.remove_firewall_rule_from_policy_and_wait(
firewall_group_id=fw_group['id'],
firewall_rule_id=fw_deny_icmp_rule['id'],
@@ -284,6 +283,20 @@
firewall_rule_id=fw_allow_unidirectional_icmp_rule['id'],
firewall_policy_id=fw_policy['id'])
+ if CONF.fwaas.driver == 'ovn':
+ # NOTE(slaweq): OVN driver in FWaaS implements only stateless rules
+ # so allowing only unidirectional traffic is not enough as ICMP
+ # replies are still blocked and to make it working additional rule
+ # for the opposite direction is required also:
+ fw_allow_icmp_reply_rule = self.create_firewall_rule(
+ action="allow", protocol="icmp",
+ source_ip_address=topology['server_fixed_ip_2'],
+ destination_ip_address=topology['server_fixed_ip_1'])
+ self.insert_firewall_rule_in_policy_and_wait(
+ firewall_group_id=fw_group['id'],
+ firewall_rule_id=fw_allow_icmp_reply_rule['id'],
+ firewall_policy_id=fw_policy['id'])
+
self._check_server_connectivity(
topology['server_floating_ip_1'],
topology['private_key1'],
@@ -293,7 +306,7 @@
topology['server_floating_ip_2'],
topology['private_key2'],
address_list=[topology['server_fixed_ip_1']],
- should_connect=False)
+ should_connect=CONF.fwaas.driver == 'ovn')
# Disassociate ports of this firewall group for cleanup resources
self.update_firewall_group_and_wait(fw_group['id'], ports=[])