neutron

firewall-policy-create steals rules associated with the other policy

Bug #1223465 reported by Akihiro Motoki on 2013-09-10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Sumit Naiksatam	neutron 2013.2 "havana"

Bug Description

In my understanding, one firewall rule can belong to one firewall policy and if a rule is already associated with some policy the rule cannot be associated with a new policy without removing a rule from the current policy.

However, if firewall-policy-create specifies a rule already associated with a policy,
the rule is associated with the newly created policy.

I think it is a bug. Is it right?

The detail sequence of operations can be found at http://paste.openstack.org/show/46491/ .

Tags:

Sumit Naiksatam (snaiksat) on 2013-09-10

Changed in neutron:
assignee:	nobody → Sumit Naiksatam (snaiksat)

Sumit Naiksatam (snaiksat) on 2013-09-11

Changed in neutron:
status:	New → Confirmed
importance:	Undecided → Medium
milestone:	none → havana-rc1

Revision history for this message

Sumit Naiksatam (snaiksat) wrote on 2013-09-11:

Thanks Akihiro for pointing this out. The 1:1 association of firewall_rule to policy is still maintained, however like you point out, the rule is yanked out from the older policy and associated with the new one. A check is missing in the implementation to prevent this.

This issue will not be seen when using Horizon, it is seen only when using the CLI.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-14: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/46634

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2013-09-16:

Horizon FWaaS seems to have a different bug. I specified rules when creating a policy but no rules are associated with a policy. This may not be a neutron bug. I will investigate the detail and file another bug if needed.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-16: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/46634
Committed: http://github.com/openstack/neutron/commit/31f48f5cd3c616a7646adb3bea86338beea6a737
Submitter: Jenkins
Branch: master

commit 31f48f5cd3c616a7646adb3bea86338beea6a737
Author: Sumit Naiksatam <email address hidden>
Date: Sat Sep 14 13:38:08 2013 -0700

FWaaS - fix policy association of firewall rule

    If an existing firewall rule already associated with a
    firewall policy is associated with a different firewall
    policy, the new association should fail. The check for
    the existing association was not being made, hence the
    firewall rule was being removed from the older policy
    and being associated with the newer policy (incorrect
    behavior). This is being fixed here.

    If the association with the newer policy has to be made
    the rule should first be removed from the existing policy
    association.

Change-Id: I30c41d77e7fde673f0dccbc98e1cd7bd0d7b384f
Closes-Bug: #1223465

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-10-03

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in neutron:
milestone:	havana-rc1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1225240

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.