From 068a45e39edd83e8d8fe0617be36e2d5c66cb080 Mon Sep 17 00:00:00 2001
From: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Date: Fri, 29 Sep 2017 00:21:07 +0800
Subject: [PATCH] Implement neutron firewall v2

Closes-Bug: #1719775
Depends-On: I76803f0f81260129a242e31e81f4f956c5a44ef9
Change-Id: I675c486dda17ce5d6d5a9f665ade904f42d06611
---
 ansible/roles/neutron/defaults/main.yml           | 15 ++++++++++++++-
 .../roles/neutron/templates/fwaas_driver.ini.j2   |  6 ++++++
 ansible/roles/neutron/templates/l3_agent.ini.j2   |  4 ++--
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml
index 88858f1e87..a8d4b4abfc 100644
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -206,6 +206,9 @@ neutron_bgp_dragent_image_full: "{{ neutron_bgp_dragent_image }}:{{ neutron_bgp_
 dhcp_agents_per_network: 2
 max_l3_agents_per_router: 3
 
+# valid value is: ["v1", "v2"]
+neutron_fwaas_version: "v1"
+
 neutron_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ neutron_server_port }}"
 neutron_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ neutron_server_port }}"
 neutron_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ neutron_server_port }}"
@@ -234,7 +237,9 @@ neutron_extension_drivers: "{{ extension_drivers|selectattr('enabled', 'equalto'
 ####################
 service_plugins:
   - name: "firewall"
-    enabled: "{{ enable_neutron_fwaas | bool }}"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v1' }}"
+  - name: "firewall_v2"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v2' }}"
   - name: "flow_classifier"
     enabled: "{{ enable_neutron_sfc | bool }}"
   - name: "lbaasv2"
@@ -278,6 +283,14 @@ agent_extensions:
 
 neutron_agent_extensions: "{{ agent_extensions | selectattr('enabled', 'equalto', true) | list }}"
 
+l3_agent_extensions:
+  - name: "fwaas"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v1' }}"
+  - name: "fwaas_v2"
+    enabled: "{{ enable_neutron_fwaas | bool and neutron_fwaas_version == 'v2' }}"
+
+neutron_l3_agent_extensions: "{{ l3_agent_extensions | selectattr('enabled', 'equalto', true) | list }}"
+
 ####################
 # VMware NSXV
 ####################
diff --git a/ansible/roles/neutron/templates/fwaas_driver.ini.j2 b/ansible/roles/neutron/templates/fwaas_driver.ini.j2
index 272e5049cf..01b4391ead 100644
--- a/ansible/roles/neutron/templates/fwaas_driver.ini.j2
+++ b/ansible/roles/neutron/templates/fwaas_driver.ini.j2
@@ -4,7 +4,13 @@ enabled = True
 {% if neutron_plugin_agent == 'vmware_nsxv' %}
 driver = vmware_nsxv_edge
 {% else %}
+{% if neutron_fwaas_version == 'v1' %}
+agent_version = v1
 driver = iptables
+{% elif neutron_fwaas_version == 'v2' %}
+agent_version = v2
+driver = iptables_v2
+{% endif %}
 
 [service_providers]
 service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
diff --git a/ansible/roles/neutron/templates/l3_agent.ini.j2 b/ansible/roles/neutron/templates/l3_agent.ini.j2
index 99282dee7b..37285ce294 100644
--- a/ansible/roles/neutron/templates/l3_agent.ini.j2
+++ b/ansible/roles/neutron/templates/l3_agent.ini.j2
@@ -12,9 +12,9 @@ agent_mode = legacy
 {% if enable_neutron_agent_ha | bool %}
 ha_vrrp_health_check_interval = 5
 {% endif %}
-{% if enable_neutron_fwaas | bool %}
 [agent]
-extensions = fwaas
+{% if neutron_l3_agent_extensions %}
+extensions = "{{ neutron_l3_agent_extensions|map(attribute='name')|join(',') }}"
 {% endif %}
 
 [ovs]