Merge pull request #136 from stackhpc/upstream/zed-2024-04-01

Synchronise zed with upstream

Author: markgoddard

neutron/agent/linux/iptables_firewall.py

@@ -599,9 +599,15 @@ def _select_sg_rules_for_port(self, port, direction):
                                 rule, port, direction))
         return port_rules
 
+    def _get_any_remote_group_id_in_rule(self, rule):
+        remote_group_id = rule.get('remote_group_id')
+        if not remote_group_id:
+            remote_group_id = rule.get('remote_address_group_id')
+        return remote_group_id
+
     def _expand_sg_rule_with_remote_ips(self, rule, port, direction):
         """Expand a remote group rule to rule per remote group IP."""
-        remote_group_id = rule.get('remote_group_id')
+        remote_group_id = self._get_any_remote_group_id_in_rule(rule)
         if remote_group_id:
             ethertype = rule['ethertype']
             port_ips = port.get('fixed_ips', [])
@@ -623,7 +629,7 @@ def _get_remote_sg_ids(self, port, direction=None):
         for sg_id in sg_ids:
             for rule in self.sg_rules.get(sg_id, []):
                 if not direction or rule['direction'] == direction:
-                    remote_sg_id = rule.get('remote_group_id')
+                    remote_sg_id = self._get_any_remote_group_id_in_rule(rule)
                     ether_type = rule.get('ethertype')
                     if remote_sg_id and ether_type:
                         remote_sg_ids[ether_type].add(remote_sg_id)
@@ -703,7 +709,7 @@ def _generate_plain_rule_args(self, sg_rule):
         return args
 
     def _convert_sg_rule_to_iptables_args(self, sg_rule):
-        remote_gid = sg_rule.get('remote_group_id')
+        remote_gid = self._get_any_remote_group_id_in_rule(sg_rule)
         if self.enable_ipset and remote_gid:
             return self._generate_ipset_rule_args(sg_rule, remote_gid)
         else:

neutron/tests/unit/agent/linux/test_iptables_firewall.py

@@ -2333,6 +2333,22 @@ def test_filter_defer_apply_off_with_sg_only_ipv6_rule(self):
 
         self.firewall.ipset.assert_has_calls(calls, True)
 
+    def test__get_any_remote_group_id_in_rule_with_remote_group(self):
+        sg_rule = {'direction': 'ingress',
+                   'remote_group_id': FAKE_SGID,
+                   'ethertype': _IPv4}
+
+        self.assertEqual(FAKE_SGID,
+            self.firewall._get_any_remote_group_id_in_rule(sg_rule))
+
+    def test__get_any_remote_group_id_in_rule_with_remote_address_group(self):
+        sg_rule = {'direction': 'ingress',
+                   'remote_address_group_id': FAKE_SGID,
+                   'ethertype': _IPv6}
+
+        self.assertEqual(FAKE_SGID,
+            self.firewall._get_any_remote_group_id_in_rule(sg_rule))
+
     def test_sg_rule_expansion_with_remote_ips(self):
         other_ips = [('10.0.0.2', 'fa:16:3e:aa:bb:c1'),
                      ('10.0.0.3', 'fa:16:3e:aa:bb:c2'),

releasenotes/notes/iptables-support-remote-address-groups-89da589aad3c01d3.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Remote address group support was added to the iptables-based firewall
+    drivers (IptablesFirewallDriver and OVSHybridIptablesFirewallDriver),
+    Previously it was only available in the OVSFirewallDriver.
+    For more information, see bug
+    `2058138 <https://bugs.launchpad.net/neutron/+bug/2058138>`_.