Refactor IpsetManager to have proper separation of concerns

Registered by Miguel Angel Ajo on 2014-12-05

IptablesFirewallDriver and IpsetManager don't have a proper seperation of concerns,
the current implementation of IptablesFirewallDriver has a lot of low level knowledge
about how ipset works, and how to optimize the way we work with ip sets.

There are also misleading references to ipsets as "ipset_chains" in IptablesFirewallDriver,
those references should be corrected to "ipsets" or "sets" to avoid confusion.

The extent of this change should not modify functionality, and unit tests checking the
specific knowledge previously handled in the IptablesFirewall Driver should be moved
to talk with the IpsetManager now.

Intent here is to provide a better foundation for later L2 agent refactors which otherwise
would find the same issues with the IpsetManager needing to reimplement it's logic
partially.

Blueprint information

Status:
Complete
Approver:
Kyle Mestery
Priority:
High
Drafter:
Miguel Angel Ajo
Direction:
Approved
Assignee:
Miguel Angel Ajo
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 2015.1.0
Started by
Miguel Angel Ajo
Completed by
Miguel Angel Ajo

Related branches

Sprints

Whiteboard

December-18 (mestery): Kilo-2.

Gerrit topic: https://review.openstack.org/#q,topic:bp/ipset-manager-refactor,n,z

Addressed by: https://review.openstack.org/120806
    IpsetManager refactoring

amotoki (Dec 8, 2014)
Originally this work was planned as a part of blueprint https://blueprints.launchpad.net/neutron/+spec/add-ipset-to-security (which was implemented in Juno). This blueprint is to track the progress of remaining security group refactoring works since it consists of multiple patches.
Mark and I suggested to ajo to register this. This work is very straight-forward and I believe it can be approved without a corresponding spec review. I suggest to target this to Kilo-1.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.