From 7c64d5ea8e2ff302c7960c444d23a9f2de849b07 Mon Sep 17 00:00:00 2001
From: Chandan Dutta Chowdhury <chandanc@juniper.net>
Date: Tue, 18 Oct 2016 13:11:56 +0000
Subject: [PATCH] Add support for Neutron FWaaS v2

This patch adds support for deploying Neutron FWaaS v2
with OpenStack Ansible

Change-Id: I2eae414fba7ddfac44ad6f5125e08740dc7a80a2
---
 defaults/main.yml                             |  2 +-
 doc/source/configure-network-services.rst     | 40 +++++++++++++++++++
 .../notes/fwaasv2-added-ab9ba18c8b98a83e.yaml |  4 ++
 tasks/main.yml                                |  3 ++
 tasks/neutron_check.yml                       | 23 +++++++++++
 templates/l3_agent.ini.j2                     | 22 ++++++++++
 templates/neutron.conf.j2                     |  8 ----
 vars/main.yml                                 |  3 +-
 8 files changed, 95 insertions(+), 10 deletions(-)
 create mode 100644 releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml
 create mode 100644 tasks/neutron_check.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index cd964a11..4dd6975f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -243,7 +243,7 @@ neutron_notifications_designate: notifications_designate
 # Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.
 # neutron_plugin_base:
 #   - router
-#   - firewall
+#   - firewall/firewall_v2 either one or the other, not both
 #   - lbaas
 #   - neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
 #   - neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin
diff --git a/doc/source/configure-network-services.rst b/doc/source/configure-network-services.rst
index bb17bf4e..7dec27d0 100644
--- a/doc/source/configure-network-services.rst
+++ b/doc/source/configure-network-services.rst
@@ -29,6 +29,9 @@ Firewall service (optional)
 The following procedure describes how to modify the
 ``/etc/openstack_deploy/user_variables.yml`` file to enable FWaaS.
 
+Deploying FWaaS v1
+------------------
+
 #. Override the default list of neutron plugins to include
    ``firewall``:
 
@@ -68,6 +71,43 @@ The FWaaS default configuration options may be changed through the
 `conf override`_ mechanism using the ``neutron_neutron_conf_overrides``
 dict.
 
+Deploying FWaaS v2
+------------------
+
+FWaaS v2 is the next generation Neutron firewall service and will provide
+a rich set of APIs for securing OpenStack networks. It is still under
+active development.
+
+Refer to the `FWaaS 2.0 API specification
+<https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html>`_
+for more information on these FWaaS v2 features
+
+Follow the steps below to deploy FWaaS v2:
+
+.. note::
+    FWaaS v1 and v2 cannot be deployed simultaneously.
+
+#. Add the FWaaS v2 plugin to the ``neutron_plugin_base`` variable
+   in ``/etc/openstack_deploy/user_variables.yml``:
+
+   .. code-block:: yaml
+
+      neutron_plugin_base:
+        - router
+        - metering
+        - firewall_v2
+
+   Ensure that ``neutron_plugin_base`` includes all of the plugins that you
+   want to deploy with neutron in addition to the firewall_v2 plugin.
+
+#. Run the neutron playbook to deploy the FWaaS v2 service plugin
+
+   .. code-block:: console
+
+       # cd /opt/openstack-ansible/playbooks
+       # openstack-ansible os-neutron-install.yml
+
+
 Load balancing service (optional)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml b/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml
new file mode 100644
index 00000000..8cc3c783
--- /dev/null
+++ b/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - FWaaS V2 has been added to neutron. To enable this service simply add
+    "firewall_v2" to the "neutron_plugin_base" list.
diff --git a/tasks/main.yml b/tasks/main.yml
index aea234f0..c0d70d25 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- include: neutron_check.yml
+
+
 - name: Gather variables for each operating system
   include_vars: "{{ item }}"
   with_first_found:
diff --git a/tasks/neutron_check.yml b/tasks/neutron_check.yml
new file mode 100644
index 00000000..f646c889
--- /dev/null
+++ b/tasks/neutron_check.yml
@@ -0,0 +1,23 @@
+---
+# Copyright 2016
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure FWaaS v1 and v2 are not enabled simultaneously
+  fail:
+    message: |
+      FWaaS v1 and v2 cannot be enabled at the same time.
+      Verify that your neutron_plugin_base variable is correct.
+  when:
+    - neutron_fwaas | bool
+    - neutron_fwaas_v2 | bool
diff --git a/templates/l3_agent.ini.j2 b/templates/l3_agent.ini.j2
index 1da68707..2f39c5ea 100644
--- a/templates/l3_agent.ini.j2
+++ b/templates/l3_agent.ini.j2
@@ -27,3 +27,25 @@ send_arp_for_ha = 3
 
 # Metadata
 enable_metadata_proxy = True
+
+{% if neutron_fwaas | bool %}
+
+[fwaas]
+enabled = true
+driver = iptables
+agent_version = v1
+
+[AGENT]
+extensions = fwaas
+
+{% elif neutron_fwaas_v2 | bool %}
+
+[fwaas]
+enabled = true
+driver = iptables_v2
+agent_version = v2
+
+[AGENT]
+extensions = fwaas_v2
+
+{% endif %}
diff --git a/templates/neutron.conf.j2 b/templates/neutron.conf.j2
index 561c1a71..03e7e682 100644
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@@ -206,12 +206,6 @@ auth_version = 3
 
 {% endif %}
 
-{% if neutron_fwaas | bool %}
-[fwaas]
-enabled = true
-driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
-{% endif %}
-
 # Agent
 [agent]
 polling_interval = {{ neutron_agent_polling_interval|default(5) }}
@@ -241,5 +235,3 @@ transport_url = rabbit://{% for host in neutron_rabbitmq_telemetry_servers.split
 # Concurrency (locking mechanisms)
 [oslo_concurrency]
 lock_path = {{ neutron_lock_path }}
-
-
diff --git a/vars/main.yml b/vars/main.yml
index 6778a85c..4c7e67af 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -265,7 +265,8 @@ neutron_metadata: "{% if neutron_plugin_type.split('.')[0] == 'ml2' %}True{% els
 ###
 
 # Please add the 'firewall' to the neutron_plugin_base list
-neutron_fwaas: "{% if 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
+neutron_fwaas: "{{ 'firewall' in neutron_plugin_base | ternary('True', 'False') }}"
+neutron_fwaas_v2: "{{ 'firewall_v2' in neutron_plugin_base | ternary('True', 'False') }}"
 
 ###
 ### LBaaS Plugin Configuration