Device Manager: Firewall filter generated for Piublic VRF doesn't have have the from clause in term t1 to redirect the traffic
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Juniper Openstack | Status tracked in Trunk | |||||
| R2.20 |
Fix Committed
|
High
|
Suresh Balineni | |||
| Trunk |
Fix Committed
|
High
|
Suresh Balineni | |||
Bug Description
When public VRF is configured with floating ip pool, we need to generate firewall filters with destination addresses.
Config as follows:
root@a5-mx80-1# show routing-instances nsheth-public
instance-type vrf;
vrf-target target:64512:7;
vrf-table-label;
routing-options {
static {
/* subnet for the public vn */
route 192.168.7.0/24 discard;
/* default route points to inet.0 */
route 0.0.0.0/0 next-table inet.0;
}
}
root@a5-mx80-1# show forwarding-options
family inet {
filter {
input redirect-
}
}
root@a5-mx80-1# show firewall
filter redirect-
term t1 {
from {
}
}
then {
}
}
term t2 {
then accept;
}
}
root@a5-mx80-1# show routing-instances nsheth-public | display set
set routing-instances nsheth-public instance-type vrf
set routing-instances nsheth-public vrf-target target:64512:7
set routing-instances nsheth-public vrf-table-label
set routing-instances nsheth-public routing-options static route 192.168.7.0/24 discard
set routing-instances nsheth-public routing-options static route 0.0.0.0/0 next-table inet.0
root@a5-mx80-1# show forwarding-options | display set
set forwarding-options family inet filter input redirect-
[edit]
root@a5-mx80-1# show firewall | display set
set firewall filter redirect-
set firewall filter redirect-
set firewall filter redirect-
[edit]
root@a5-mx80-1#
We ran into a problem with the configuration generated for public VRF.
The firewall filter we generate to redirect the traffic doesn't have have the
from clause in term t1 (refer to the manually configured example below).
The from clause should have a list of destination addresses where each
entry in the list is the subnet for a floating-ip pool. We had configured a
public network subnet and with the external flag set. So there was a FIP
pool in our configuration.
Could you please investigate further and fix it? Please verify that the fix
works in case there's 1 pool or > 1 pool.
If for whatever reason there's no FIP pools, then it would be best to make
the code defensive and not generate term t1 at all. Generating it with an
empty from clause causes loss of connectivity to the MX - that's very bad.
-Nischal
| Changed in juniperopenstack: | |
| importance: | Undecided → High |
| tags: | added: config device-manager |
| Suresh Balineni (sbalineni) wrote | #1 |
| Suresh Balineni (sbalineni) wrote | #2 |
| Suresh Balineni (sbalineni) wrote | #3 |
| OpenContrail Admin (ci-admin-f) wrote R2.20 | #4 |
| OpenContrail Admin (ci-admin-f) wrote master | #6 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #8 |
| OpenContrail Admin (ci-admin-f) wrote | #9 |
| information type: | Proprietary → Public |
Implementation was already there for generating right firewall filters, but there is bug in the code.
If more than one routing instance is added to MX config, second one replacing first ones config in certain conditions.
Fixed, and Sent for code review.