Inform a client if Quantum provides port filtering feature

Part of blueprint vif-plugging-improvements

Quantum and Nova have duplicated functionality of packet filtering
such as security groups and anti spoofing filters.
By passing information whether Quantum supports the port filtering feature,
Nova VIF driver can skip its own packet filtering setup.

It is based on Daniel's advise in https://review.openstack.org/#/c/19436/

Change-Id: Ifd260cb61aa3990251510a4a3fe15454d8d584df

diff --git a/quantum/extensions/portbindings.py b/quantum/extensions/portbindings.py
index e3276c86f73eb9d35c40e7859bf075f090c236c6..5368985114e98f1fdcbd62f134035a2c0b906336 100644 (file)
--- a/quantum/extensions/portbindings.py
+++ b/quantum/extensions/portbindings.py
@@ -24,6 +24,12 @@ HOST_ID = 'binding:host_id'
 # on the specific host to pass and receive vif port specific information to
 # the plugin.
 PROFILE = 'binding:profile'
+# The capabilities will be a dictionary that enables pass information about
+# functionalies quantum provides. The following value should be provided.
+#  - port_filter : Boolean value indicating Quantum provides port filtering
+#                  features such as security group and anti MAC/IP spoofing
+CAPABILITIES = 'binding:capabilities'
+CAP_PORT_FILTER = 'port_filter'
 
 VIF_TYPE_OVS = 'ovs'
 VIF_TYPE_BRIDGE = 'bridge'
@@ -41,7 +47,11 @@ EXTENDED_ATTRIBUTES_2_0 = {
                   'is_visible': True},
         PROFILE: {'allow_post': True, 'allow_put': True,
                   'default': attributes.ATTR_NOT_SPECIFIED,
+                  'validate': {'type:dict': None},
                   'is_visible': True},
+        CAPABILITIES: {'allow_post': False, 'allow_put': False,
+                       'default': attributes.ATTR_NOT_SPECIFIED,
+                       'is_visible': True},
     }
 }
 

diff --git a/quantum/plugins/linuxbridge/lb_quantum_plugin.py b/quantum/plugins/linuxbridge/lb_quantum_plugin.py
index 4267d9ac019347ed15bfbd9821e715f03f5ce075..995dbb910134472c8d74e845ab39526e4e2f465a 100644 (file)
--- a/quantum/plugins/linuxbridge/lb_quantum_plugin.py
+++ b/quantum/plugins/linuxbridge/lb_quantum_plugin.py
@@ -431,6 +431,9 @@ class LinuxBridgePluginV2(db_base_plugin_v2.QuantumDbPluginV2,
     def _extend_port_dict_binding(self, context, port):
         if self._check_view_auth(context, port, self.binding_view):
             port[portbindings.VIF_TYPE] = portbindings.VIF_TYPE_BRIDGE
+            port[portbindings.CAPABILITIES] = {
+                portbindings.CAP_PORT_FILTER:
+                'security-group' in self.supported_extension_aliases}
         return port
 
     def get_port(self, context, id, fields=None):

diff --git a/quantum/tests/unit/linuxbridge/test_linuxbridge_plugin.py b/quantum/tests/unit/linuxbridge/test_linuxbridge_plugin.py
index c27a2098fcce07ebdccbac7663a5e615819c59b3..3eed40fde48163876956e6eab5b20306a362585f 100644 (file)
--- a/quantum/tests/unit/linuxbridge/test_linuxbridge_plugin.py
+++ b/quantum/tests/unit/linuxbridge/test_linuxbridge_plugin.py
@@ -48,8 +48,10 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
         plugin = QuantumManager.get_plugin()
         with self.port(name='name') as port:
             port_id = port['port']['id']
-            self.assertEqual(port['port']['binding:vif_type'],
+            self.assertEqual(port['port'][portbindings.VIF_TYPE],
                              portbindings.VIF_TYPE_BRIDGE)
+            port_cap = port['port'][portbindings.CAPABILITIES]
+            self.assertEqual(port_cap[portbindings.CAP_PORT_FILTER], True)
             # By default user is admin - now test non admin user
             ctx = context.Context(user_id=None,
                                   tenant_id=self._tenant_id,
@@ -57,7 +59,8 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
                                   read_deleted="no")
             non_admin_port = plugin.get_port(ctx, port_id)
             self.assertTrue('status' in non_admin_port)
-            self.assertFalse('binding:vif_type' in non_admin_port)
+            self.assertFalse(portbindings.VIF_TYPE in non_admin_port)
+            self.assertFalse(portbindings.CAPABILITIES in non_admin_port)
 
     def test_ports_vif_details(self):
         cfg.CONF.set_default('allow_overlapping_ips', True)
@@ -67,8 +70,10 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
             ports = plugin.get_ports(ctx)
             self.assertEqual(len(ports), 2)
             for port in ports:
-                self.assertEqual(port['binding:vif_type'],
+                self.assertEqual(port[portbindings.VIF_TYPE],
                                  portbindings.VIF_TYPE_BRIDGE)
+                port_cap = port[portbindings.CAPABILITIES]
+                self.assertEqual(port_cap[portbindings.CAP_PORT_FILTER], True)
             # By default user is admin - now test non admin user
             ctx = context.Context(user_id=None,
                                   tenant_id=self._tenant_id,
@@ -78,7 +83,9 @@ class TestLinuxBridgePortsV2(test_plugin.TestPortsV2,
             self.assertEqual(len(ports), 2)
             for non_admin_port in ports:
                 self.assertTrue('status' in non_admin_port)
-                self.assertFalse('binding:vif_type' in non_admin_port)
+                self.assertFalse(portbindings.VIF_TYPE in non_admin_port)
+                self.assertFalse(portbindings.CAP_PORT_FILTER
+                                 in non_admin_port)
 
 
 class TestLinuxBridgeNetworksV2(test_plugin.TestNetworksV2,