neutron

fwaas: After deleting all routers or interfaces firewall status should not show as active

Bug #1330913 reported by Rajkumar on 2014-06-17

This bug report is a duplicate of: Bug #1503595: Firewall remain in active state even after deleting router associated with firewall. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Incomplete	Wishlist	Unassigned

Bug Description

After deleting all routers firewall status should not show as active

From Admin tenant as well as user tenant, Firewall becomes active as per the below steps
1. create firewall (after creating firewall rule and policy)
2. create router
3. Add at least one network interface to the router
4. firewall becomes active

However from admin tenant, if we create router and then firewall , firewall becomes active without the need of adding any network interface to the router . but in this sequence of firewall creation, firewall becomes active in user tenant only after adding any interface to the router.

In both the above cases, firewall doesn't become inactive or down when deleting all the interfaces in the router or deleting all the router

Steps to Reproduce:
1. create firewall rule and attach it to the newly created firewall policy
2. create firewall with the above policy.
3. create router and attach any network interface
4. firewall becomes active
5. remove the network interface from router or delete the router
Actual Results:
firewall status shows as active
Expected results:
firewall status should show as DOWN

Tags:

Sumit Naiksatam (snaiksat) on 2014-06-17

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

Sridar Kandaswamy (skandasw) wrote on 2014-06-23:

In the current FWaaS model, when a Firewall is created on a tenant - it is applied on all routers in the tenant. And if a new router gets added on the tenant, the firewall is added to that as well.

The FW plugin does not track the routers (or router interfaces) on the tenant in this implementation. So when router(s) is/are deleted on a tenant we cannot track this incremental change on the plugin. Ideally only when the last router (or router interface) is deleted - we would like to the drive the FWaaS state to a PENDING _DELETE and then move it to being DELETED.

While this support can be added, the eventual goal for FWaaS has always been to be aligned with the Service Insertion model. The current (deploy on all routers) is an artifact of the first implementation. Now that Service Insertion -https://review.openstack.org/#/c/93128/ is being targeted for Juno, with this we will be able to validate the insertion points (be it Routers or Router Interfaces) and track any changes on these resources as well. So then this issue will not be relevant.

Changed in neutron:
status:	New → Confirmed

Revision history for this message

Koteswara Rao Kelam (koti-kelam) wrote on 2014-08-07:

The following code got merged.
https://review.openstack.org/#/c/93128/

Revision history for this message

Sumit Naiksatam (snaiksat) wrote on 2014-08-16:

On thinking about this a little more, I am not sure that this is as much of an issue. When all the interfaces are deleted, there is no traffic reaching the router, and hence the firewall is not in the picture. When any interfaces are added, the firewall will be effective again. Reducing the priority of this bug.

Changed in neutron:
importance:	Medium → Wishlist

Revision history for this message

Cedric Brandily (cbrandily) wrote on 2015-10-06:

This bug is > 365 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
status:	Confirmed → Incomplete

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1503595 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.