Handle firewall_driver option
Change-Id: I90b7c5807ecd0ea8789e17a2fd701084982d39d3
Closes-Bug: PROD-20881
diff --git a/README.rst b/README.rst
index e659bde..3d851a2 100644
--- a/README.rst
+++ b/README.rst
@@ -28,6 +28,7 @@
rpc_state_report_workers: 2
root_helper_daemon: false
dhcp_lease_duration: 600
+ firewall_driver: iptables_hybrid
bind:
address: 172.20.0.1
port: 9696
@@ -209,6 +210,7 @@
enabled: True
version: mitaka
dhcp_lease_duration: 600
+ firewall_driver: iptables_hybrid
message_queue:
engine: rabbitmq
host: 127.0.0.1
diff --git a/neutron/files/pike/ml2_conf.ini b/neutron/files/pike/ml2_conf.ini
index 377ecd7..d5b8a2f 100644
--- a/neutron/files/pike/ml2_conf.ini
+++ b/neutron/files/pike/ml2_conf.ini
@@ -293,22 +293,20 @@
# Driver for security groups firewall in the L2 agent (string value)
#firewall_driver = <None>
+{%- if not server.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- elif server.dpdk or server.get('vlan_aware_vms', False) %}
+{%- set _firewall_driver = 'openvswitch' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables_hybrid' %}
+{%- endif %}
+firewall_driver = {{ server.get('firewall_driver', _firewall_driver) }}
# Controls whether the neutron security group API is enabled in the server. It
# should be false when using no security groups or using the nova security
# group API. (boolean value)
#enable_security_group = true
-
-{%- if not server.get('security_groups_enabled', True) %}
-firewall_driver = neutron.agent.firewall.NoopFirewallDriver
-enable_security_group = False
-{%- elif server.dpdk or server.get('vlan_aware_vms', False) %}
-firewall_driver = openvswitch
-enable_security_group = True
-{%- else %}
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
-enable_security_group = True
-{%- endif %}
+enable_security_group = {{ server.get('security_groups_enabled', True) }}
# Use ipset to speed-up the iptables based security groups. Enabling ipset
# support requires that ipset is installed on L2 agent node. (boolean value)
diff --git a/neutron/files/pike/openvswitch_agent.ini b/neutron/files/pike/openvswitch_agent.ini
index dc997df..624101b 100644
--- a/neutron/files/pike/openvswitch_agent.ini
+++ b/neutron/files/pike/openvswitch_agent.ini
@@ -327,22 +327,20 @@
# Driver for security groups firewall in the L2 agent (string value)
#firewall_driver = <None>
+{%- if not neutron.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- elif neutron.dpdk or neutron.get('vlan_aware_vms', False) %}
+{%- set _firewall_driver = 'openvswitch' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables_hybrid' %}
+{%- endif %}
+firewall_driver = {{ neutron.get('firewall_driver', _firewall_driver) }}
# Controls whether the neutron security group API is enabled in the server. It
# should be false when using no security groups or using the nova security
# group API. (boolean value)
#enable_security_group = true
-
-{%- if not neutron.get('security_groups_enabled', True) %}
-firewall_driver = neutron.agent.firewall.NoopFirewallDriver
-enable_security_group = False
-{%- elif neutron.dpdk or neutron.get('vlan_aware_vms', False) %}
-firewall_driver = openvswitch
-enable_security_group = True
-{%- else %}
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
-enable_security_group = True
-{%- endif %}
+enable_security_group = {{ neutron.get('security_groups_enabled', True) }}
# Use ipset to speed-up the iptables based security groups. Enabling ipset
# support requires that ipset is installed on L2 agent node. (boolean value)
diff --git a/neutron/files/queens/ml2_conf.ini b/neutron/files/queens/ml2_conf.ini
index fe465ba..9dfcba1 100644
--- a/neutron/files/queens/ml2_conf.ini
+++ b/neutron/files/queens/ml2_conf.ini
@@ -199,22 +199,20 @@
# Driver for security groups firewall in the L2 agent (string value)
#firewall_driver = <None>
+{%- if not server.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- elif server.dpdk or server.get('vlan_aware_vms', False) %}
+{%- set _firewall_driver = 'openvswitch' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables_hybrid' %}
+{%- endif %}
+firewall_driver = {{ server.get('firewall_driver', _firewall_driver) }}
# Controls whether the neutron security group API is enabled in the server. It
# should be false when using no security groups or using the nova security
# group API. (boolean value)
#enable_security_group = true
-
-{%- if not server.get('security_groups_enabled', True) %}
-firewall_driver = neutron.agent.firewall.NoopFirewallDriver
-enable_security_group = False
-{%- elif server.dpdk or server.get('vlan_aware_vms', False) %}
-firewall_driver = openvswitch
-enable_security_group = True
-{%- else %}
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
-enable_security_group = True
-{%- endif %}
+enable_security_group = {{ server.get('security_groups_enabled', True) }}
# Use ipset to speed-up the iptables based security groups. Enabling ipset
# support requires that ipset is installed on L2 agent node. (boolean value)
diff --git a/neutron/files/queens/openvswitch_agent.ini b/neutron/files/queens/openvswitch_agent.ini
index 821b8b8..6b1d41c 100644
--- a/neutron/files/queens/openvswitch_agent.ini
+++ b/neutron/files/queens/openvswitch_agent.ini
@@ -247,22 +247,20 @@
# Driver for security groups firewall in the L2 agent (string value)
#firewall_driver = <None>
+{%- if not neutron.get('security_groups_enabled', True) %}
+{%- set _firewall_driver = 'noop' %}
+{%- elif neutron.dpdk or neutron.get('vlan_aware_vms', False) %}
+{%- set _firewall_driver = 'openvswitch' %}
+{%- else %}
+{%- set _firewall_driver = 'iptables_hybrid' %}
+{%- endif %}
+firewall_driver = {{ neutron.get('firewall_driver', _firewall_driver) }}
# Controls whether the neutron security group API is enabled in the server. It
# should be false when using no security groups or using the nova security
# group API. (boolean value)
#enable_security_group = true
-
-{%- if not neutron.get('security_groups_enabled', True) %}
-firewall_driver = neutron.agent.firewall.NoopFirewallDriver
-enable_security_group = False
-{%- elif neutron.dpdk or neutron.get('vlan_aware_vms', False) %}
-firewall_driver = openvswitch
-enable_security_group = True
-{%- else %}
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
-enable_security_group = True
-{%- endif %}
+enable_security_group = {{ neutron.get('security_groups_enabled', True) }}
# Use ipset to speed-up the iptables based security groups. Enabling ipset
# support requires that ipset is installed on L2 agent node. (boolean value)
diff --git a/tests/pillar/compute_legacy.sls b/tests/pillar/compute_legacy.sls
index 943b35c..1a8aa58 100644
--- a/tests/pillar/compute_legacy.sls
+++ b/tests/pillar/compute_legacy.sls
@@ -1,6 +1,7 @@
neutron:
compute:
agent_mode: legacy
+ firewall_driver: noop
backend:
engine: ml2
tenant_network_types: "flat,vxlan"
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index b584d72..445806c 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -4,6 +4,7 @@
rpc_workers: 2
rpc_state_report_workers: 2
enabled: true
+ firewall_driver: noop
backend:
external_mtu: 1500
tenant_net_mtu: 9000
diff --git a/tests/pillar/gateway_legacy.sls b/tests/pillar/gateway_legacy.sls
index 6ce2ba0..c67c80b 100644
--- a/tests/pillar/gateway_legacy.sls
+++ b/tests/pillar/gateway_legacy.sls
@@ -2,6 +2,7 @@
gateway:
agent_mode: legacy
dhcp_lease_duration: 86400
+ firewall_driver: noop
backend:
engine: ml2
tenant_network_types: "flat,vxlan"