Inform a client if Quantum provides port filtering feature

Part of blueprint vif-plugging-improvements

Quantum and Nova have duplicated functionality of packet filtering
such as security groups and anti spoofing filters.
By passing information whether Quantum supports the port filtering feature,
Nova VIF driver can skip its own packet filtering setup.

It is based on Daniel's advise in https://review.openstack.org/#/c/19436/

Change-Id: Ifd260cb61aa3990251510a4a3fe15454d8d584df
This commit is contained in:
Akihiro MOTOKI 2013-01-12 21:42:32 +09:00
parent 1af1475767
commit 0fa51abd49
3 changed files with 24 additions and 4 deletions

View File

@ -24,6 +24,12 @@ HOST_ID = 'binding:host_id'
# on the specific host to pass and receive vif port specific information to # on the specific host to pass and receive vif port specific information to
# the plugin. # the plugin.
PROFILE = 'binding:profile' PROFILE = 'binding:profile'
# The capabilities will be a dictionary that enables pass information about
# functionalies quantum provides. The following value should be provided.
# - port_filter : Boolean value indicating Quantum provides port filtering
# features such as security group and anti MAC/IP spoofing
CAPABILITIES = 'binding:capabilities'
CAP_PORT_FILTER = 'port_filter'
VIF_TYPE_OVS = 'ovs' VIF_TYPE_OVS = 'ovs'
VIF_TYPE_BRIDGE = 'bridge' VIF_TYPE_BRIDGE = 'bridge'
@ -40,6 +46,10 @@ EXTENDED_ATTRIBUTES_2_0 = {
'default': attributes.ATTR_NOT_SPECIFIED, 'default': attributes.ATTR_NOT_SPECIFIED,
'is_visible': True}, 'is_visible': True},
PROFILE: {'allow_post': True, 'allow_put': True, PROFILE: {'allow_post': True, 'allow_put': True,
'default': attributes.ATTR_NOT_SPECIFIED,
'validate': {'type:dict': None},
'is_visible': True},
CAPABILITIES: {'allow_post': False, 'allow_put': False,
'default': attributes.ATTR_NOT_SPECIFIED, 'default': attributes.ATTR_NOT_SPECIFIED,
'is_visible': True}, 'is_visible': True},
} }

View File

@ -431,6 +431,9 @@ class LinuxBridgePluginV2(db_base_plugin_v2.QuantumDbPluginV2,
def _extend_port_dict_binding(self, context, port): def _extend_port_dict_binding(self, context, port):
if self._check_view_auth(context, port, self.binding_view): if self._check_view_auth(context, port, self.binding_view):
port[portbindings.VIF_TYPE] = portbindings.VIF_TYPE_BRIDGE port[portbindings.VIF_TYPE] = portbindings.VIF_TYPE_BRIDGE
port[portbindings.CAPABILITIES] = {
portbindings.CAP_PORT_FILTER:
'security-group' in self.supported_extension_aliases}
return port return port
def get_port(self, context, id, fields=None): def get_port(self, context, id, fields=None):

View File

@ -48,8 +48,10 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
plugin = QuantumManager.get_plugin() plugin = QuantumManager.get_plugin()
with self.port(name='name') as port: with self.port(name='name') as port:
port_id = port['port']['id'] port_id = port['port']['id']
self.assertEqual(port['port']['binding:vif_type'], self.assertEqual(port['port'][portbindings.VIF_TYPE],
portbindings.VIF_TYPE_BRIDGE) portbindings.VIF_TYPE_BRIDGE)
port_cap = port['port'][portbindings.CAPABILITIES]
self.assertEqual(port_cap[portbindings.CAP_PORT_FILTER], True)
# By default user is admin - now test non admin user # By default user is admin - now test non admin user
ctx = context.Context(user_id=None, ctx = context.Context(user_id=None,
tenant_id=self._tenant_id, tenant_id=self._tenant_id,
@ -57,7 +59,8 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
read_deleted="no") read_deleted="no")
non_admin_port = plugin.get_port(ctx, port_id) non_admin_port = plugin.get_port(ctx, port_id)
self.assertTrue('status' in non_admin_port) self.assertTrue('status' in non_admin_port)
self.assertFalse('binding:vif_type' in non_admin_port) self.assertFalse(portbindings.VIF_TYPE in non_admin_port)
self.assertFalse(portbindings.CAPABILITIES in non_admin_port)
def test_ports_vif_details(self): def test_ports_vif_details(self):
cfg.CONF.set_default('allow_overlapping_ips', True) cfg.CONF.set_default('allow_overlapping_ips', True)
@ -67,8 +70,10 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
ports = plugin.get_ports(ctx) ports = plugin.get_ports(ctx)
self.assertEqual(len(ports), 2) self.assertEqual(len(ports), 2)
for port in ports: for port in ports:
self.assertEqual(port['binding:vif_type'], self.assertEqual(port[portbindings.VIF_TYPE],
portbindings.VIF_TYPE_BRIDGE) portbindings.VIF_TYPE_BRIDGE)
port_cap = port[portbindings.CAPABILITIES]
self.assertEqual(port_cap[portbindings.CAP_PORT_FILTER], True)
# By default user is admin - now test non admin user # By default user is admin - now test non admin user
ctx = context.Context(user_id=None, ctx = context.Context(user_id=None,
tenant_id=self._tenant_id, tenant_id=self._tenant_id,
@ -78,7 +83,9 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
self.assertEqual(len(ports), 2) self.assertEqual(len(ports), 2)
for non_admin_port in ports: for non_admin_port in ports:
self.assertTrue('status' in non_admin_port) self.assertTrue('status' in non_admin_port)
self.assertFalse('binding:vif_type' in non_admin_port) self.assertFalse(portbindings.VIF_TYPE in non_admin_port)
self.assertFalse(portbindings.CAP_PORT_FILTER
in non_admin_port)
class TestLinuxBridgeNetworksV2(test_plugin.TestNetworksV2, class TestLinuxBridgeNetworksV2(test_plugin.TestNetworksV2,