From 9f31e746103cb61465bf58561baaa11ab7b70d02 Mon Sep 17 00:00:00 2001
From: Sebastian Wagner <sebastian.wagner02@sap.com>
Date: Thu, 8 Feb 2024 15:27:08 +0100
Subject: [PATCH] Move FWAAS related object creation into a dedicated method

---
 asr1k_neutron_l3/models/neutron/l3/router.py | 57 ++++++++++----------
 1 file changed, 30 insertions(+), 27 deletions(-)

diff --git a/asr1k_neutron_l3/models/neutron/l3/router.py b/asr1k_neutron_l3/models/neutron/l3/router.py
index d462ed81..8d4e0019 100644
--- a/asr1k_neutron_l3/models/neutron/l3/router.py
+++ b/asr1k_neutron_l3/models/neutron/l3/router.py
@@ -88,33 +88,7 @@ def __init__(self, router_info):
                            rd=self.router_atts.get('rd'), routable_interface=self.routable_interface,
                            rt_import=self.rt_import, rt_export=self.rt_export, global_vrf_id=global_vrf_id)
 
-        self.fwaas_conf = list()
-        self.fwaas_external_policies = {'ingress': None, 'egress': None}
-        for name, policy in router_info.get('fwaas_policies', {}).items():
-            if self.gateway_interface.id in policy['ingress_ports'] \
-                    or self.gateway_interface.id in policy['egress_ports']:
-                # This policy will be bound on a external interface, so we need to create
-                # class-map and service-policy
-                if self.gateway_interface.id in policy['ingress_ports']:
-                    self.fwaas_external_policies['ingress'] = name
-                if self.gateway_interface.id in policy['egress_ports']:
-                    self.fwaas_external_policies['egress'] = name
-                self.fwaas_conf.append(firewall.ClassMap(name))
-                self.fwaas_conf.append(firewall.ServicePolicy(name))
-            self.fwaas_conf.append(firewall.AccessList(name, policy['rules']))
-
-        if self.fwaas_external_policies['ingress'] or self.fwaas_external_policies['egress']:
-            # As there are external interfaces policies, we create zones and zone-pairs
-            self.fwaas_conf.append(firewall.Zone(self.router_id))
-            self.fwaas_conf.append(
-                firewall.ZonePairExtEgress(self.router_id, self.fwaas_external_policies['egress']))
-            self.fwaas_conf.append(
-                firewall.ZonePairExtIngress(self.router_id, self.fwaas_external_policies['ingress']))
-            # We also want to link the VRF to a policer so we limit VRFs (by boilerplate)
-            self.fwaas_conf.append(firewall.FirewallVrfPolicer(self.router_id))
-            # Mark all interfaces for stateful firewalling
-            for interface in self.interfaces.all_interfaces:
-                interface.has_stateful_firewall = True
+        self._build_fwaas_conf(router_info)
 
         self.nat_acl = self._build_nat_acl()
         self.pbr_acl = self._build_pbr_acl()
@@ -342,6 +316,35 @@ def _build_prefix_lists(self):
 
         return result
 
+    def _build_fwaas_conf(self, router_info):
+        self.fwaas_conf = list()
+        self.fwaas_external_policies = {'ingress': None, 'egress': None}
+        for name, policy in router_info.get('fwaas_policies', {}).items():
+            if self.gateway_interface.id in policy['ingress_ports'] \
+                    or self.gateway_interface.id in policy['egress_ports']:
+                # This policy will be bound on a external interface, so we need to create
+                # class-map and service-policy
+                if self.gateway_interface.id in policy['ingress_ports']:
+                    self.fwaas_external_policies['ingress'] = name
+                if self.gateway_interface.id in policy['egress_ports']:
+                    self.fwaas_external_policies['egress'] = name
+                self.fwaas_conf.append(firewall.ClassMap(name))
+                self.fwaas_conf.append(firewall.ServicePolicy(name))
+            self.fwaas_conf.append(firewall.AccessList(name, policy['rules']))
+
+        if self.fwaas_external_policies['ingress'] or self.fwaas_external_policies['egress']:
+            # As there are external interfaces policies, we create zones and zone-pairs
+            self.fwaas_conf.append(firewall.Zone(self.router_id))
+            self.fwaas_conf.append(
+                firewall.ZonePairExtEgress(self.router_id, self.fwaas_external_policies['egress']))
+            self.fwaas_conf.append(
+                firewall.ZonePairExtIngress(self.router_id, self.fwaas_external_policies['ingress']))
+            # We also want to link the VRF to a policer so we limit VRFs (by boilerplate)
+            self.fwaas_conf.append(firewall.FirewallVrfPolicer(self.router_id))
+            # Mark all interfaces for stateful firewalling
+            for interface in self.interfaces.all_interfaces:
+                interface.has_stateful_firewall = True
+
     def _primary_route(self):
         if self.gateway_interface is not None and self.gateway_interface.primary_gateway_ip is not None:
             return route.Route(self.router_id, "0.0.0.0", "0.0.0.0", self.gateway_interface.primary_gateway_ip)