Merge pull request #232 from stackhpc/upstream/2025.1-2025-10-06

Synchronise 2025.1 with upstream

Author: mnasiadka

neutron/conf/policies/l3_conntrack_helper.py

@@ -32,7 +32,7 @@
         name='create_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Create a router conntrack helper',
         operations=[
@@ -51,7 +51,7 @@
         name='get_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_READER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_READER),
         scope_types=['project'],
         description='Get a router conntrack helper',
         operations=[
@@ -74,7 +74,7 @@
         name='update_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Update a router conntrack helper',
         operations=[
@@ -93,7 +93,7 @@
         name='delete_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Delete a router conntrack helper',
         operations=[

neutron/conf/policies/local_ip_association.py

@@ -29,7 +29,7 @@
         name='create_local_ip_port_association',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Create a Local IP port association',
         operations=[
@@ -48,7 +48,7 @@
         name='get_local_ip_port_association',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_READER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_READER),
         scope_types=['project'],
         description='Get a Local IP port association',
         operations=[
@@ -71,7 +71,7 @@
         name='delete_local_ip_port_association',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Delete a Local IP port association',
         operations=[

neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_tun.py

@@ -15,8 +15,11 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from neutron_lib import constants as lib_constants
 from neutron_lib.plugins.ml2 import ovs_constants as constants
 from os_ken.lib.packet import ether_types
+from os_ken.lib.packet import icmpv6
+from os_ken.lib.packet import in_proto
 
 from neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native \
     import br_dvr_process
@@ -33,6 +36,62 @@ class OVSTunnelBridge(ovs_bridge.OVSAgentBridge,
     dvr_process_next_table_id = constants.PATCH_LV_TO_TUN
     of_tables = constants.TUN_BR_ALL_TABLES
 
+    def _setup_learn_flows(self, ofpp, patch_int_ofport):
+        flow_specs = [
+            ofpp.NXFlowSpecMatch(src=('vlan_tci', 0),
+                                 dst=('vlan_tci', 0),
+                                 n_bits=12),
+            ofpp.NXFlowSpecMatch(src=('eth_src', 0),
+                                 dst=('eth_dst', 0),
+                                 n_bits=48),
+            ofpp.NXFlowSpecLoad(src=0,
+                                dst=('vlan_tci', 0),
+                                n_bits=16),
+            ofpp.NXFlowSpecLoad(src=('tunnel_id', 0),
+                                dst=('tunnel_id', 0),
+                                n_bits=64),
+            ofpp.NXFlowSpecOutput(src=('in_port', 0),
+                                  dst='',
+                                  n_bits=32),
+        ]
+        actions = [
+            ofpp.NXActionLearn(table_id=constants.UCAST_TO_TUN,
+                               cookie=self.default_cookie,
+                               priority=1,
+                               hard_timeout=300,
+                               specs=flow_specs),
+            ofpp.OFPActionOutput(patch_int_ofport, 0),
+        ]
+
+        arp_match = ofpp.OFPMatch(
+            eth_type=ether_types.ETH_TYPE_ARP,
+            arp_tha=lib_constants.BROADCAST_MAC
+        )
+        ipv6_ra_match = ofpp.OFPMatch(
+            eth_type=ether_types.ETH_TYPE_IPV6,
+            ip_proto=in_proto.IPPROTO_ICMPV6,
+            icmpv6_type=icmpv6.ND_ROUTER_ADVERT)  # icmp_type=134
+        ipv6_na_match = ofpp.OFPMatch(
+            eth_type=ether_types.ETH_TYPE_IPV6,
+            ip_proto=in_proto.IPPROTO_ICMPV6,
+            icmpv6_type=icmpv6.ND_NEIGHBOR_ADVERT)  # icmp_type=136
+
+        self.install_apply_actions(table_id=constants.LEARN_FROM_TUN,
+                                   priority=2,
+                                   match=arp_match,
+                                   actions=actions)
+        self.install_apply_actions(table_id=constants.LEARN_FROM_TUN,
+                                   priority=2,
+                                   match=ipv6_ra_match,
+                                   actions=actions)
+        self.install_apply_actions(table_id=constants.LEARN_FROM_TUN,
+                                   priority=2,
+                                   match=ipv6_na_match,
+                                   actions=actions)
+        self.install_apply_actions(table_id=constants.LEARN_FROM_TUN,
+                                   priority=1,
+                                   actions=actions)
+
     def setup_default_table(
             self, patch_int_ofport, arp_responder_enabled, dvr_enabled):
         (dp, ofp, ofpp) = self._get_dp()
@@ -81,34 +140,7 @@ def setup_default_table(
         # dynamically set-up flows in UCAST_TO_TUN corresponding to remote mac
         # addresses (assumes that lvid has already been set by a previous flow)
         # Once remote mac addresses are learnt, output packet to patch_int
-        flow_specs = [
-            ofpp.NXFlowSpecMatch(src=('vlan_tci', 0),
-                                 dst=('vlan_tci', 0),
-                                 n_bits=12),
-            ofpp.NXFlowSpecMatch(src=('eth_src', 0),
-                                 dst=('eth_dst', 0),
-                                 n_bits=48),
-            ofpp.NXFlowSpecLoad(src=0,
-                                dst=('vlan_tci', 0),
-                                n_bits=16),
-            ofpp.NXFlowSpecLoad(src=('tunnel_id', 0),
-                                dst=('tunnel_id', 0),
-                                n_bits=64),
-            ofpp.NXFlowSpecOutput(src=('in_port', 0),
-                                  dst='',
-                                  n_bits=32),
-        ]
-        actions = [
-            ofpp.NXActionLearn(table_id=constants.UCAST_TO_TUN,
-                               cookie=self.default_cookie,
-                               priority=1,
-                               hard_timeout=300,
-                               specs=flow_specs),
-            ofpp.OFPActionOutput(patch_int_ofport, 0),
-        ]
-        self.install_apply_actions(table_id=constants.LEARN_FROM_TUN,
-                                   priority=1,
-                                   actions=actions)
+        self._setup_learn_flows(ofpp, patch_int_ofport)
 
         # Egress unicast will be handled in table UCAST_TO_TUN, where remote
         # mac addresses will be learned. For now, just add a default flow that

neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py

@@ -29,18 +29,29 @@ def setUp(self):
         self.router = {
             'id': uuidutils.generate_uuid(),
             'project_id': self.project_id}
+        self.alt_router = {
+            'id': uuidutils.generate_uuid(),
+            'project_id': self.alt_project_id}
+
         self.target = {
             'project_id': self.project_id,
             'router_id': self.router['id'],
             'ext_parent_router_id': self.router['id']}
-
         self.alt_target = {
             'project_id': self.alt_project_id,
-            'router_id': self.router['id'],
-            'ext_parent_router_id': self.router['id']}
+            'router_id': self.alt_router['id'],
+            'ext_parent_router_id': self.alt_router['id']}
+
+        routers = {
+            self.router['id']: self.router,
+            self.alt_router['id']: self.alt_router,
+        }
+
+        def get_router(context, router_id, fields=None):
+            return routers[router_id]
 
         self.plugin_mock = mock.Mock()
-        self.plugin_mock.get_router.return_value = self.router
+        self.plugin_mock.get_router.side_effect = get_router
         mock.patch(
             'neutron_lib.plugins.directory.get_plugin',
             return_value=self.plugin_mock).start()

neutron/tests/unit/conf/policies/test_local_ip_association.py

@@ -29,18 +29,29 @@ def setUp(self):
         self.local_ip = {
             'id': uuidutils.generate_uuid(),
             'project_id': self.project_id}
+        self.alt_local_ip = {
+            'id': uuidutils.generate_uuid(),
+            'project_id': self.alt_project_id}
 
         self.target = {
             'project_id': self.project_id,
             'local_ip_id': self.local_ip['id'],
             'ext_parent_local_ip_id': self.local_ip['id']}
         self.alt_target = {
             'project_id': self.alt_project_id,
-            'local_ip_id': self.local_ip['id'],
-            'ext_parent_local_ip_id': self.local_ip['id']}
+            'local_ip_id': self.alt_local_ip['id'],
+            'ext_parent_local_ip_id': self.alt_local_ip['id']}
+
+        local_ips = {
+            self.local_ip['id']: self.local_ip,
+            self.alt_local_ip['id']: self.alt_local_ip,
+        }
+
+        def get_local_ip(context, lip_id, fields=None):
+            return local_ips[lip_id]
 
         self.plugin_mock = mock.Mock()
-        self.plugin_mock.get_local_ip.return_value = self.local_ip
+        self.plugin_mock.get_local_ip.side_effect = get_local_ip
         mock.patch(
             'neutron_lib.plugins.directory.get_plugin',
             return_value=self.plugin_mock).start()