octavia 14.0.0.0rc1__py3-none-any.whl → 14.0.2__py3-none-any.whl

octavia/controller/worker/v2/tasks/network_tasks.py

@@ -536,11 +536,10 @@ class PlugVIPAmphora(BaseNetworkTask):
         """Handle a failure to plumb a vip."""
         if isinstance(result, failure.Failure):
             return
+        lb_id = loadbalancer[constants.LOADBALANCER_ID]
         LOG.warning("Unable to plug VIP for amphora id %s "
                     "load balancer id %s",
-                    amphora.get(constants.ID),
-                    loadbalancer[constants.LOADBALANCER_ID])
-
+                    amphora.get(constants.ID), lb_id)
         try:
             session = db_apis.get_session()
             with session.begin():
@@ -550,15 +549,16 @@ class PlugVIPAmphora(BaseNetworkTask):
                 db_amp.ha_port_id = result[constants.HA_PORT_ID]
                 db_subnet = self.network_driver.get_subnet(
                     subnet[constants.ID])
-                db_lb = self.loadbalancer_repo.get(
-                    session,
-                    id=loadbalancer[constants.LOADBALANCER_ID])
-
+                db_lb = self.loadbalancer_repo.get(session, id=lb_id)
             self.network_driver.unplug_aap_port(db_lb.vip,
                                                 db_amp, db_subnet)
         except Exception as e:
-            LOG.error('Failed to unplug AAP port. Resources may still be in '
-                      'use for VIP: %s due to error: %s', db_lb.vip, str(e))
+            LOG.error(
+                'Failed to unplug AAP port for load balancer: %s. '
+                'Resources may still be in use for VRRP port: %s. '
+                'Due to error: %s',
+                lb_id, result[constants.VRRP_PORT_ID], str(e)
+            )
 
 
 class UnplugVIP(BaseNetworkTask):
@@ -706,7 +706,11 @@ class GetAmphoraNetworkConfigs(BaseNetworkTask):
             db_lb, amphora=db_amp)
         provider_dict = {}
         for amp_id, amp_conf in db_configs.items():
-            provider_dict[amp_id] = amp_conf.to_dict(recurse=True)
+            # Do not serialize loadbalancer class.  It's unused later and
+            # could be ignored for storing in results of task in persistence DB
+            provider_dict[amp_id] = amp_conf.to_dict(
+                recurse=True, calling_classes=[data_models.LoadBalancer]
+            )
         return provider_dict
 
 
@@ -724,7 +728,11 @@ class GetAmphoraNetworkConfigsByID(BaseNetworkTask):
                                                              amphora=amphora)
         provider_dict = {}
         for amp_id, amp_conf in db_configs.items():
-            provider_dict[amp_id] = amp_conf.to_dict(recurse=True)
+            # Do not serialize loadbalancer class.  It's unused later and
+            # could be ignored for storing in results of task in persistence DB
+            provider_dict[amp_id] = amp_conf.to_dict(
+                recurse=True, calling_classes=[data_models.LoadBalancer]
+            )
         return provider_dict
 
 
@@ -740,7 +748,11 @@ class GetAmphoraeNetworkConfigs(BaseNetworkTask):
         db_configs = self.network_driver.get_network_configs(db_lb)
         provider_dict = {}
         for amp_id, amp_conf in db_configs.items():
-            provider_dict[amp_id] = amp_conf.to_dict(recurse=True)
+            # Do not serialize loadbalancer class.  It's unused later and
+            # could be ignored for storing in results of task in persistence DB
+            provider_dict[amp_id] = amp_conf.to_dict(
+                recurse=True, calling_classes=[data_models.LoadBalancer]
+            )
         return provider_dict
 
 
@@ -984,10 +996,9 @@ class CreateVIPBasePort(BaseNetworkTask):
             return
         try:
             port_name = constants.AMP_BASE_PORT_PREFIX + amphora_id
-            for port in result:
-                self.network_driver.delete_port(port.id)
-                LOG.info('Deleted port %s with ID %s for amphora %s due to a '
-                         'revert.', port_name, port.id, amphora_id)
+            self.network_driver.delete_port(result[constants.ID])
+            LOG.info('Deleted port %s with ID %s for amphora %s due to a '
+                     'revert.', port_name, result[constants.ID], amphora_id)
         except Exception as e:
             LOG.error('Failed to delete port %s. Resources may still be in '
                       'use for a port intended for amphora %s due to error '

octavia/db/base_models.py

@@ -12,6 +12,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from wsme import types as wtypes
+
 from oslo_db.sqlalchemy import models
 from oslo_utils import strutils
 from oslo_utils import uuidutils
@@ -19,6 +21,8 @@ import sqlalchemy as sa
 from sqlalchemy.orm import collections
 from sqlalchemy.orm import declarative_base
 
+from octavia.common import constants
+
 
 class OctaviaBase(models.ModelBase):
 
@@ -112,12 +116,20 @@ class OctaviaBase(models.ModelBase):
 
     @staticmethod
     def apply_filter(query, model, filters):
+        # Convert boolean filters to proper type
+        for key in filters:
+            attr = getattr(model.__v2_wsme__, key, None)
+            if isinstance(attr, wtypes.wsattr) and attr.datatype == bool:
+                filters[key] = strutils.bool_from_string(filters[key])
+        # Special case for 'enabled', it's 'admin_state_up' in the WSME class
+        # definition and the attribute has already been renamed to 'enabled' by
+        # a previous pagination filter
+        if constants.ENABLED in filters:
+            filters[constants.ENABLED] = strutils.bool_from_string(
+                filters[constants.ENABLED])
+
         translated_filters = {}
         child_map = {}
-        # Convert enabled to proper type
-        if 'enabled' in filters:
-            filters['enabled'] = strutils.bool_from_string(
-                filters['enabled'])
         for attr, name_map in model.__v2_wsme__._child_map.items():
             for k, v in name_map.items():
                 if attr in filters and k in filters[attr]:

octavia/network/drivers/neutron/allowed_address_pairs.py

@@ -194,12 +194,13 @@ class AllowedAddressPairsDriver(neutron_base.BaseNeutronDriver):
             # Don't remove egress rules and don't confuse other protocols with
             # None ports with the egress rules.  VRRP uses protocol 51 and 112
             if (rule.get('direction') == 'egress' or
-                    rule.get('protocol').upper() not in
+                    rule.get('protocol') is None or
+                    rule['protocol'].upper() not in
                     [constants.PROTOCOL_TCP, constants.PROTOCOL_UDP,
                      lib_consts.PROTOCOL_SCTP]):
                 continue
             old_ports.append((rule.get('port_range_max'),
-                              rule.get('protocol').lower(),
+                              rule['protocol'].lower(),
                               rule.get('remote_ip_prefix')))
 
         add_ports = set(updated_ports) - set(old_ports)

octavia/tests/functional/amphorae/backend/agent/api_server/test_server.py

@@ -3060,7 +3060,7 @@ class TestServerTestCase(base.TestCase):
     @mock.patch('octavia.amphorae.backends.utils.nftable_utils.'
                 'load_nftables_file')
     @mock.patch('octavia.amphorae.backends.utils.nftable_utils.'
-                'write_nftable_vip_rules_file')
+                'write_nftable_rules_file')
     @mock.patch('octavia.amphorae.backends.agent.api_server.amphora_info.'
                 'AmphoraInfo.get_interface')
     def test_set_interface_rules(self, mock_get_int, mock_write_rules,

octavia/tests/functional/api/v2/test_health_monitor.py

@@ -1782,6 +1782,24 @@ class TestHealthMonitor(base.BaseAPITest):
             pool_prov_status=constants.PENDING_UPDATE,
             hm_prov_status=constants.PENDING_UPDATE)
 
+    def test_update_udp_case_with_udp_hm(self):
+        api_hm = self.create_health_monitor(
+            self.udp_pool_with_listener_id,
+            constants.HEALTH_MONITOR_UDP_CONNECT, 3, 1, 1, 1).get(
+            self.root_tag)
+        self.set_lb_status(self.udp_lb_id)
+        new_hm = {'timeout': 2}
+        self.put(
+            self.HM_PATH.format(healthmonitor_id=api_hm.get('id')),
+            self._build_body(new_hm))
+        self.assert_correct_status(
+            lb_id=self.udp_lb_id, listener_id=self.udp_listener_id,
+            pool_id=self.udp_pool_with_listener_id, hm_id=api_hm.get('id'),
+            lb_prov_status=constants.PENDING_UPDATE,
+            listener_prov_status=constants.PENDING_UPDATE,
+            pool_prov_status=constants.PENDING_UPDATE,
+            hm_prov_status=constants.PENDING_UPDATE)
+
     def test_negative_update_udp_case(self):
         api_hm = self.create_health_monitor(
             self.udp_pool_with_listener_id,

octavia/tests/functional/api/v2/test_member.py

@@ -913,6 +913,38 @@ class TestMember(base.BaseAPITest):
             m_subnet_exists.assert_called_once_with(
                 member1['subnet_id'], context=mock.ANY)
 
+    @mock.patch('octavia.api.drivers.driver_factory.get_driver')
+    @mock.patch('octavia.api.drivers.utils.call_provider')
+    def test_update_members_member_duplicate(
+            self, mock_provider, mock_get_driver):
+        mock_driver = mock.MagicMock()
+        mock_driver.name = 'noop_driver'
+        mock_get_driver.return_value = mock_driver
+        subnet_id = uuidutils.generate_uuid()
+
+        member1 = {'address': '192.0.2.1', 'protocol_port': 80,
+                   'project_id': self.project_id, 'subnet_id': subnet_id}
+
+        req_dict = [member1]
+        body = {self.root_tag_list: req_dict}
+        path = self.MEMBERS_PATH.format(pool_id=self.pool_id)
+        self.put(path, body, status=202)
+
+        self.set_lb_status(self.lb_id)
+
+        # Same member (same address and protocol_port) updated twice in the
+        # same PUT request
+        member1 = {'address': '192.0.2.1', 'protocol_port': 80,
+                   'project_id': self.project_id, 'subnet_id': subnet_id,
+                   'name': 'member1'}
+        member2 = {'address': '192.0.2.1', 'protocol_port': 80,
+                   'project_id': self.project_id, 'subnet_id': subnet_id,
+                   'name': 'member2'}
+
+        req_dict = [member1, member2]
+        body = {self.root_tag_list: req_dict}
+        self.put(path, body, status=400)
+
     @mock.patch('octavia.api.drivers.driver_factory.get_driver')
     @mock.patch('octavia.api.drivers.utils.call_provider')
     def test_update_members_subnet_not_found(

octavia/tests/unit/amphorae/backends/agent/api_server/test_osutils.py

@@ -229,5 +229,5 @@ class TestOSUtils(base.TestCase):
         mock_port_interface_file.assert_called_once_with(
             name=netns_interface,
             fixed_ips=fixed_ips,
-            mtu=MTU)
+            mtu=MTU, is_sriov=False)
         mock_port_interface_file.return_value.write.assert_called_once()

octavia/tests/unit/amphorae/backends/agent/api_server/test_plug.py

@@ -285,7 +285,7 @@ class TestPlug(base.TestCase):
             self.test_plug.plug_network(FAKE_MAC_ADDRESS, fixed_ips, 1400)
 
         mock_write_port_interface.assert_called_once_with(
-            interface='eth2', fixed_ips=fixed_ips, mtu=mtu)
+            interface='eth2', fixed_ips=fixed_ips, mtu=mtu, is_sriov=False)
         mock_if_up.assert_called_once_with('eth2', 'network')
         mock_send_member_adv.assert_called_once_with(fixed_ips)
 
@@ -332,7 +332,8 @@ class TestPlug(base.TestCase):
             self.test_plug.plug_network(FAKE_MAC_ADDRESS, fixed_ips, 1400)
 
         mock_write_port_interface.assert_called_once_with(
-            interface=FAKE_INTERFACE, fixed_ips=fixed_ips, mtu=mtu)
+            interface=FAKE_INTERFACE, fixed_ips=fixed_ips, mtu=mtu,
+            is_sriov=False)
         mock_if_up.assert_called_once_with(FAKE_INTERFACE, 'network')
         mock_send_member_adv.assert_called_once_with(fixed_ips)
 
@@ -401,7 +402,7 @@ class TestPlug(base.TestCase):
                 'gateway': vip_net_info['gateway'],
                 'host_routes': [],
             },
-            fixed_ips=fixed_ips, mtu=mtu)
+            fixed_ips=fixed_ips, mtu=mtu, is_sriov=False)
 
         mock_if_up.assert_called_once_with(FAKE_INTERFACE, 'vip')
         mock_send_member_adv.assert_called_once_with(fixed_ips)

octavia/tests/unit/amphorae/backends/agent/api_server/test_util.py

@@ -370,13 +370,57 @@ class TestUtil(base.TestCase):
         self.assertEqual([], util.get_haproxy_vip_addresses(LB_ID1))
         mock_cfg_path.assert_called_once_with(LB_ID1)
 
+    @mock.patch('octavia.amphorae.backends.agent.api_server.util.'
+                'keepalived_lvs_cfg_path')
+    def test_get_lvs_vip_addresses(self, mock_cfg_path):
+        FAKE_PATH = 'fake_path'
+        mock_cfg_path.return_value = FAKE_PATH
+        self.useFixture(
+            test_utils.OpenFixture(FAKE_PATH, 'no match')).mock_open()
+
+        # Test with no matching lines in the config file
+        self.assertEqual([], util.get_lvs_vip_addresses(LB_ID1))
+        mock_cfg_path.assert_called_once_with(LB_ID1)
+
+        # Test with 2 matching lines
+        mock_cfg_path.reset_mock()
+        test_data = ('virtual_server_group ipv4-group {\n'
+                     '    203.0.113.43 1\n'
+                     '    203.0.113.44 1\n'
+                     '}\n')
+        self.useFixture(
+            test_utils.OpenFixture(FAKE_PATH, test_data)).mock_open()
+        expected_result = ['203.0.113.43', '203.0.113.44']
+        self.assertEqual(expected_result,
+                         util.get_lvs_vip_addresses(LB_ID1))
+        mock_cfg_path.assert_called_once_with(LB_ID1)
+
+        # Test with 2 groups
+        mock_cfg_path.reset_mock()
+        test_data = ('virtual_server_group ipv4-group {\n'
+                     '    203.0.113.43 1\n'
+                     '}\n'
+                     'virtual_server_group ipv6-group {\n'
+                     '    2d01:27::1 2\n'
+                     '    2d01:27::2 2\n'
+                     '}\n')
+        self.useFixture(
+            test_utils.OpenFixture(FAKE_PATH, test_data)).mock_open()
+        expected_result = ['203.0.113.43', '2d01:27::1', '2d01:27::2']
+        self.assertEqual(expected_result,
+                         util.get_lvs_vip_addresses(LB_ID1))
+        mock_cfg_path.assert_called_once_with(LB_ID1)
+
     @mock.patch('octavia.amphorae.backends.utils.ip_advertisement.'
                 'send_ip_advertisement')
     @mock.patch('octavia.amphorae.backends.utils.network_utils.'
                 'get_interface_name')
     @mock.patch('octavia.amphorae.backends.agent.api_server.util.'
                 'get_haproxy_vip_addresses')
-    def test_send_vip_advertisements(self, mock_get_vip_addrs,
+    @mock.patch('octavia.amphorae.backends.agent.api_server.util.'
+                'get_lvs_vip_addresses')
+    def test_send_vip_advertisements(self, mock_get_lvs_vip_addrs,
+                                     mock_get_vip_addrs,
                                      mock_get_int_name, mock_send_advert):
         mock_get_vip_addrs.side_effect = [[], ['203.0.113.46'],
                                           Exception('boom')]
@@ -385,6 +429,7 @@ class TestUtil(base.TestCase):
         # Test no VIPs
         util.send_vip_advertisements(LB_ID1)
         mock_get_vip_addrs.assert_called_once_with(LB_ID1)
+        mock_get_lvs_vip_addrs.assert_not_called()
         mock_get_int_name.assert_not_called()
         mock_send_advert.assert_not_called()
 
@@ -394,6 +439,7 @@ class TestUtil(base.TestCase):
         mock_send_advert.reset_mock()
         util.send_vip_advertisements(LB_ID1)
         mock_get_vip_addrs.assert_called_once_with(LB_ID1)
+        mock_get_lvs_vip_addrs.assert_not_called()
         mock_get_int_name.assert_called_once_with(
             '203.0.113.46', net_ns=consts.AMPHORA_NAMESPACE)
         mock_send_advert.assert_called_once_with(
@@ -407,6 +453,48 @@ class TestUtil(base.TestCase):
         mock_get_int_name.assert_not_called()
         mock_send_advert.assert_not_called()
 
+    @mock.patch('octavia.amphorae.backends.utils.ip_advertisement.'
+                'send_ip_advertisement')
+    @mock.patch('octavia.amphorae.backends.utils.network_utils.'
+                'get_interface_name')
+    @mock.patch('octavia.amphorae.backends.agent.api_server.util.'
+                'get_haproxy_vip_addresses')
+    @mock.patch('octavia.amphorae.backends.agent.api_server.util.'
+                'get_lvs_vip_addresses')
+    def test_send_vip_advertisements_udp(self, mock_get_lvs_vip_addrs,
+                                         mock_get_vip_addrs,
+                                         mock_get_int_name, mock_send_advert):
+        mock_get_lvs_vip_addrs.side_effect = [[], ['203.0.113.46'],
+                                              Exception('boom')]
+        mock_get_int_name.return_value = 'fake0'
+
+        # Test no VIPs
+        util.send_vip_advertisements(listener_id=LISTENER_ID1)
+        mock_get_lvs_vip_addrs.assert_called_once_with(LISTENER_ID1)
+        mock_get_vip_addrs.assert_not_called()
+        mock_get_int_name.assert_not_called()
+        mock_send_advert.assert_not_called()
+
+        # Test with a VIP
+        mock_get_lvs_vip_addrs.reset_mock()
+        mock_get_int_name.reset_mock()
+        mock_send_advert.reset_mock()
+        util.send_vip_advertisements(listener_id=LISTENER_ID1)
+        mock_get_lvs_vip_addrs.assert_called_once_with(LISTENER_ID1)
+        mock_get_vip_addrs.assert_not_called()
+        mock_get_int_name.assert_called_once_with(
+            '203.0.113.46', net_ns=consts.AMPHORA_NAMESPACE)
+        mock_send_advert.assert_called_once_with(
+            'fake0', '203.0.113.46', net_ns=consts.AMPHORA_NAMESPACE)
+
+        # Test with an exception (should not raise)
+        mock_get_lvs_vip_addrs.reset_mock()
+        mock_get_int_name.reset_mock()
+        mock_send_advert.reset_mock()
+        util.send_vip_advertisements(listener_id=LISTENER_ID1)
+        mock_get_int_name.assert_not_called()
+        mock_send_advert.assert_not_called()
+
     @mock.patch('octavia.amphorae.backends.utils.ip_advertisement.'
                 'send_ip_advertisement')
     @mock.patch('octavia.amphorae.backends.utils.network_utils.'

octavia/tests/unit/amphorae/backends/utils/test_interface.py

@@ -452,7 +452,7 @@ class TestInterface(base.TestCase):
     @mock.patch('octavia.amphorae.backends.utils.network_namespace.'
                 'NetworkNamespace')
     @mock.patch('octavia.amphorae.backends.utils.nftable_utils.'
-                'write_nftable_vip_rules_file')
+                'write_nftable_rules_file')
     @mock.patch('pyroute2.IPRoute.rule')
     @mock.patch('pyroute2.IPRoute.route')
     @mock.patch('pyroute2.IPRoute.addr')
@@ -578,16 +578,8 @@ class TestInterface(base.TestCase):
                       family=socket.AF_INET6)])
 
         mock_check_output.assert_has_calls([
-            mock.call([consts.NFT_CMD, consts.NFT_ADD, 'table',
-                       consts.NFT_FAMILY, consts.NFT_VIP_TABLE], stderr=-2),
-            mock.call([consts.NFT_CMD, consts.NFT_ADD, 'chain',
-                       consts.NFT_FAMILY, consts.NFT_VIP_TABLE,
-                       consts.NFT_VIP_CHAIN, '{', 'type', 'filter', 'hook',
-                       'ingress', 'device', 'fake-eth1', 'priority',
-                       consts.NFT_SRIOV_PRIORITY, ';', 'policy', 'drop', ';',
-                       '}'], stderr=-2),
-            mock.call([consts.NFT_CMD, '-o', '-f', consts.NFT_VIP_RULES_FILE],
-                      stderr=-2),
+            mock.call([consts.NFT_CMD, '-o', '-f', consts.NFT_RULES_FILE],
+                      stderr=subprocess.STDOUT),
             mock.call(["post-up", "fake-eth1"])
         ])
 
@@ -1444,56 +1436,3 @@ class TestInterface(base.TestCase):
 
         addr = controller._normalize_ip_network(None)
         self.assertIsNone(addr)
-
-    @mock.patch('octavia.amphorae.backends.utils.nftable_utils.'
-                'load_nftables_file')
-    @mock.patch('octavia.amphorae.backends.utils.nftable_utils.'
-                'write_nftable_vip_rules_file')
-    @mock.patch('subprocess.check_output')
-    def test__setup_nftables_chain(self, mock_check_output, mock_write_rules,
-                                   mock_load_rules):
-
-        controller = interface.InterfaceController()
-
-        mock_check_output.side_effect = [
-            mock.DEFAULT, mock.DEFAULT,
-            subprocess.CalledProcessError(cmd=consts.NFT_CMD, returncode=-1),
-            mock.DEFAULT,
-            subprocess.CalledProcessError(cmd=consts.NFT_CMD, returncode=-1)]
-
-        interface_mock = mock.MagicMock()
-        interface_mock.name = 'fake2'
-
-        # Test succeessful path
-        controller._setup_nftables_chain(interface_mock)
-
-        mock_write_rules.assert_called_once_with('fake2', [])
-        mock_load_rules.assert_called_once_with()
-        mock_check_output.assert_has_calls([
-            mock.call([consts.NFT_CMD, 'add', 'table', consts.NFT_FAMILY,
-                       consts.NFT_VIP_TABLE], stderr=subprocess.STDOUT),
-            mock.call([consts.NFT_CMD, 'add', 'chain', consts.NFT_FAMILY,
-                       consts.NFT_VIP_TABLE, consts.NFT_VIP_CHAIN, '{',
-                       'type', 'filter', 'hook', 'ingress', 'device',
-                       'fake2', 'priority', consts.NFT_SRIOV_PRIORITY, ';',
-                       'policy', 'drop', ';', '}'], stderr=subprocess.STDOUT)])
-
-        # Test first nft call fails
-        mock_write_rules.reset_mock()
-        mock_load_rules.reset_mock()
-        mock_check_output.reset_mock()
-
-        self.assertRaises(subprocess.CalledProcessError,
-                          controller._setup_nftables_chain, interface_mock)
-        mock_check_output.assert_called_once()
-        mock_write_rules.assert_not_called()
-
-        # Test second nft call fails
-        mock_write_rules.reset_mock()
-        mock_load_rules.reset_mock()
-        mock_check_output.reset_mock()
-
-        self.assertRaises(subprocess.CalledProcessError,
-                          controller._setup_nftables_chain, interface_mock)
-        self.assertEqual(2, mock_check_output.call_count)
-        mock_write_rules.assert_not_called()

octavia/tests/unit/amphorae/backends/utils/test_nftable_utils.py

@@ -28,23 +28,22 @@ import octavia.tests.unit.base as base
 class TestNFTableUtils(base.TestCase):
     @mock.patch('os.open')
     @mock.patch('os.path.isfile')
-    def test_write_nftable_vip_rules_file_exists(self, mock_isfile, mock_open):
+    def test_write_nftable_rules_file_exists(self, mock_isfile, mock_open):
         """Test when a rules file exists and no new rules
 
         When an existing rules file is present and we call
-        write_nftable_vip_rules_file with no rules, the method should not
+        write_nftable_rules_file with no rules, the method should not
         overwrite the existing rules.
         """
         mock_isfile.return_value = True
 
-        nftable_utils.write_nftable_vip_rules_file('fake-eth2', [])
+        nftable_utils.write_nftable_rules_file('fake-eth2', [])
 
         mock_open.assert_not_called()
 
     @mock.patch('os.open')
     @mock.patch('os.path.isfile')
-    def test_write_nftable_vip_rules_file_rules(self, mock_isfile,
-                                                mock_open):
+    def test_write_nftable_rules_file_rules(self, mock_isfile, mock_open):
         """Test when a rules file exists and rules are passed in
 
         This should create a simple rules file with the base chain and rules.
@@ -61,32 +60,40 @@ class TestNFTableUtils(base.TestCase):
 
         mocked_open = mock.mock_open()
         with mock.patch.object(os, 'fdopen', mocked_open):
-            nftable_utils.write_nftable_vip_rules_file(
+            nftable_utils.write_nftable_rules_file(
                 'fake-eth2', [test_rule_1, test_rule_2])
 
         mocked_open.assert_called_once_with('fake-fd', 'w')
         mock_open.assert_called_once_with(
-            consts.NFT_VIP_RULES_FILE,
+            consts.NFT_RULES_FILE,
             (os.O_WRONLY | os.O_CREAT | os.O_TRUNC),
             (stat.S_IRUSR | stat.S_IWUSR))
 
         handle = mocked_open()
         handle.write.assert_has_calls([
-            mock.call(f'table {consts.NFT_FAMILY} {consts.NFT_VIP_TABLE} '
+            mock.call(f'table {consts.NFT_FAMILY} {consts.NFT_TABLE} '
                       '{}\n'),
             mock.call(f'delete table {consts.NFT_FAMILY} '
-                      f'{consts.NFT_VIP_TABLE}\n'),
-            mock.call(f'table {consts.NFT_FAMILY} {consts.NFT_VIP_TABLE} '
+                      f'{consts.NFT_TABLE}\n'),
+            mock.call(f'table {consts.NFT_FAMILY} {consts.NFT_TABLE} '
                       '{\n'),
-            mock.call(f'  chain {consts.NFT_VIP_CHAIN} {{\n'),
-            mock.call('    type filter hook ingress device fake-eth2 '
-                      f'priority {consts.NFT_SRIOV_PRIORITY}; policy drop;\n'),
+            mock.call(f'  chain {consts.NFT_CHAIN} {{\n'),
+            mock.call('    type filter hook input priority filter; '
+                      'policy drop;\n'),
+            mock.call('      ct state vmap { established : accept, related : '
+                      'accept, invalid : drop }\n'),
+            mock.call('      iif lo accept\n'),
+            mock.call('      ip saddr 127.0.0.0/8 drop\n'),
+            mock.call('      ip6 saddr ::1 drop\n'),
             mock.call('      icmp type destination-unreachable accept\n'),
             mock.call('      icmpv6 type { nd-neighbor-solicit, '
                       'nd-router-advert, nd-neighbor-advert, packet-too-big, '
                       'destination-unreachable } accept\n'),
             mock.call('      udp sport 67 udp dport 68 accept\n'),
             mock.call('      udp sport 547 udp dport 546 accept\n'),
+            mock.call('      iifname eth1 goto amphora_vip_chain\n'),
+            mock.call('  }\n'),
+            mock.call('  chain amphora_vip_chain {\n'),
             mock.call('      tcp dport 1234 accept\n'),
             mock.call('      ip saddr 192.0.2.0/24 ip protocol 112 accept\n'),
             mock.call('  }\n'),
@@ -95,8 +102,7 @@ class TestNFTableUtils(base.TestCase):
 
     @mock.patch('os.open')
     @mock.patch('os.path.isfile')
-    def test_write_nftable_vip_rules_file_missing(self, mock_isfile,
-                                                  mock_open):
+    def test_write_nftable_rules_file_missing(self, mock_isfile, mock_open):
         """Test when a rules file does not exist and no new rules
 
         This should create a simple rules file with the base chain.
@@ -106,21 +112,21 @@ class TestNFTableUtils(base.TestCase):
 
         mocked_open = mock.mock_open()
         with mock.patch.object(os, 'fdopen', mocked_open):
-            nftable_utils.write_nftable_vip_rules_file('fake-eth2', [])
+            nftable_utils.write_nftable_rules_file('fake-eth2', [])
 
         mocked_open.assert_called_once_with('fake-fd', 'w')
         mock_open.assert_called_once_with(
-            consts.NFT_VIP_RULES_FILE,
+            consts.NFT_RULES_FILE,
             (os.O_WRONLY | os.O_CREAT | os.O_TRUNC),
             (stat.S_IRUSR | stat.S_IWUSR))
 
         handle = mocked_open()
         handle.write.assert_has_calls([
-            mock.call(f'table {consts.NFT_FAMILY} {consts.NFT_VIP_TABLE} '
+            mock.call(f'table {consts.NFT_FAMILY} {consts.NFT_TABLE} '
                       '{\n'),
-            mock.call(f'  chain {consts.NFT_VIP_CHAIN} {{\n'),
-            mock.call('    type filter hook ingress device fake-eth2 '
-                      f'priority {consts.NFT_SRIOV_PRIORITY}; policy drop;\n'),
+            mock.call(f'  chain {consts.NFT_CHAIN} {{\n'),
+            mock.call('    type filter hook input priority filter; '
+                      'policy drop;\n'),
             mock.call('      icmp type destination-unreachable accept\n'),
             mock.call('      icmpv6 type { nd-neighbor-solicit, '
                       'nd-router-advert, nd-neighbor-advert, packet-too-big, '
@@ -184,7 +190,7 @@ class TestNFTableUtils(base.TestCase):
 
         mock_netns.assert_called_once_with(consts.AMPHORA_NAMESPACE)
         mock_check_output.assert_called_once_with([
-            consts.NFT_CMD, '-o', '-f', consts.NFT_VIP_RULES_FILE],
+            consts.NFT_CMD, '-o', '-f', consts.NFT_RULES_FILE],
             stderr=subprocess.STDOUT)
 
         self.assertRaises(subprocess.CalledProcessError,

octavia/tests/unit/amphorae/drivers/keepalived/jinja/test_jinja_cfg.py

@@ -71,7 +71,6 @@ class TestVRRPRestDriver(base.TestCase):
             "}\n"
             "\n"
             "vrrp_instance TESTGROUP {\n"
-            "    state MASTER\n"
             "    interface eth1\n"
             "    virtual_router_id 1\n"
             "    priority 100\n"
@@ -124,7 +123,6 @@ class TestVRRPRestDriver(base.TestCase):
             "}\n"
             "\n"
             "vrrp_instance TESTGROUP {\n"
-            "    state MASTER\n"
             "    interface eth1\n"
             "    virtual_router_id 1\n"
             "    priority 100\n"
@@ -170,7 +168,6 @@ class TestVRRPRestDriver(base.TestCase):
             "}\n"
             "\n"
             "vrrp_instance TESTGROUP {\n"
-            "    state MASTER\n"
             "    interface eth1\n"
             "    virtual_router_id 1\n"
             "    priority 100\n"
@@ -220,7 +217,6 @@ class TestVRRPRestDriver(base.TestCase):
             "}\n"
             "\n"
             "vrrp_instance TESTGROUP {\n"
-            "    state MASTER\n"
             "    interface eth1\n"
             "    virtual_router_id 1\n"
             "    priority 100\n"