FWaaS: FIP namespace created after/before Firewall creation doesn't contain FW rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Undecided
|
bharath |
Bug Description
L3 agent is set to "dvr_snat" mode.
Steps to reproduce:
1) Create security group rules
2) Boot nova instance
3) Create floating ip on public network and associate it to the nova instance
4) Create firewall rules
5) Create firewall policy with the above rules
6) Create firewall with the above policy
Expected Result:
Both SNAT and FIP namespaces should contain the FW rules
Observed Result:
Only SNAT namespace contains the FW rules while the FIP namespace doesn't
Impact:
Due to this, the packets transferred over the external network that are destined to this instance could bypass the firewall rules using the floating ip of the instance.
Following are the commands and their output:
demofw@
+------
| Field | Value |
+------
| admin_state_up | True |
| external_
| id | fb2f3983-
| name | router1 |
| routes | |
| status | ACTIVE |
| tenant_id | b8e6948ab239467
+------
demofw@
Created a new floatingip:
+------
| Field | Value |
+------
| fixed_ip_address | 10.0.0.4 |
| floating_ip_address | 172.24.4.5 |
| floating_network_id | b162e6a0-
| id | 278316a4-
| port_id | 0d283e44-
| router_id | fb2f3983-
| status | DOWN |
| tenant_id | b8e6948ab239467
+------
demofw@
+------
| ID | Name | Status | Task State | Power State | Networks |
+------
| 9194e3a1-
+------
demofw@
+------
| id | name | firewall_policy_id | summary | enabled |
+------
| 4056da20-
| | | | source: none(none), | |
| | | | dest: none(none), | |
| | | | deny | |
| b1f3b83f-
| | | | source: none(none), | |
| | | | dest: none(80), | |
| | | | deny | |
| cba48aea-
| | | | source: none(none), | |
| | | | dest: none(22), | |
| | | | allow | |
+------
demofw@
+------
| id | name | firewall_rules |
+------
| 75599732-
| | | b1f3b83f-
| | | cba48aea-
+------
demofw@
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 75599732-
| id | 66560c40-
| name | demo-fw |
| router_ids | fb2f3983-
| status | ACTIVE |
| tenant_id | b8e6948ab239467
+------
demofw@
fip-b162e6a0-
snat-fb2f3983-
qrouter-
qdhcp-855d0284-
demofw@
Chain INPUT (policy ACCEPT 4 packets, 1284 bytes)
pkts bytes target prot opt in out source destination
4 1284 neutron-
Chain FORWARD (policy ACCEPT 2 packets, 168 bytes)
pkts bytes target prot opt in out source destination
2 168 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
2 168 neutron-
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
2 168 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 neutron-
0 0 neutron-
0 0 neutron-
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
demofw@
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
Changed in neutron: | |
assignee: | nobody → Sridar Kandaswamy (skandasw) |
summary: |
- FWaaS: FIP namespace created after Firewall creation doesn't contains FW + FWaaS: FIP namespace created after Firewall creation doesn't contain FW rules |
summary: |
- FWaaS: FIP namespace created after Firewall creation doesn't contain FW - rules + FWaaS: FIP namespace created after/before Firewall creation doesn't + contain FW rules |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
assignee: | Sridar Kandaswamy (skandasw) → bharath (bharath-7) |
With the earlier model and the tight coupling btwn FW and L3Agent - we had a call into the FW Agent to process namespace create/deletion. With the L3 Agent refactor, instead of hacking this in to the fip handling code - the fix should be to implement the observer hierarchy to handle notifications in fwaas.