neutron

[FWaaS v2] L3 agent restart breaks firewall iptables configuration for router ports

Bug #1712075 reported by Elena Ezhova on 2017-08-21

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Elena Ezhova

Bug Description

*Seen on:* Pike and master devstack with FWaaS v2

*Scenario:*
1. Create deny_icmp rule, a policy, a fw group, security group with all allowed.
2. Create 1 router, 2 subnets, fw group assigned to router ports.
3. Boot a VM in each subnet
4. Check that iptables rules are applied and it is impossible to ping VMs by floating IP or from qrouter namespace
5. Restart L3 agent

*Expected result:*
After the restart iptables rules are reapplied in the same way and the traffic is still blocked.

*Actual result:*
In case when a firewall group contains several ports iptables rules get re-written for each port and in the result only the chains for the last port in a loop remain.

Example scenario: http://paste.openstack.org/show/618908/

Tags:

Elena Ezhova (eezhova) on 2017-08-21

Changed in neutron:
assignee:	nobody → Elena Ezhova (eezhova)
tags:	added: fwaas
Changed in neutron:
status:	New → In Progress

Revision history for this message

Elena Ezhova (eezhova) wrote on 2017-08-21:

Fix is in progress: https://review.openstack.org/495657

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-30: Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/495657
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=0fac0d515a0cf5696a37dcde4fb2fdff88a8b537
Submitter: Jenkins
Branch: master

commit 0fac0d515a0cf5696a37dcde4fb2fdff88a8b537
Author: Elena Ezhova <email address hidden>
Date: Mon Aug 21 01:08:13 2017 +0400

Fix router update on L3 agent restart

    Currently on L3 agent restart FWaaS L3 agent extension
    _process_router_update iterates over all router ports and
    trigger firewall group update if a port belong to it.
    In case when a firewall group contains several ports iptables rules
    get re-written each time and in the result only the chains for
    the last port in a loop remain.

    With this change each firewall group would be updated with a full
    list of a router ports that belong to it. Additionaly, refactor of
    the _process_router_update method reduced its complexity and made
    it more readable.
    If a router would appear to have ports associated with several
    firewall groups a warning would be emitted.

Added a unit test.

Closes-Bug: #1712075
Change-Id: I251f4f50578cd10da904a56e1622c18f2adf2d18

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-30: Fix proposed to neutron-fwaas (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/499243

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-06: Fix merged to neutron-fwaas (stable/pike)

Reviewed: https://review.openstack.org/499243
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=a123e76d0007c4bbab98deb295a0c5c8ef4c7ddf
Submitter: Jenkins
Branch: stable/pike

commit a123e76d0007c4bbab98deb295a0c5c8ef4c7ddf
Author: Elena Ezhova <email address hidden>
Date: Mon Aug 21 01:08:13 2017 +0400

Fix router update on L3 agent restart

Added a unit test.

    Closes-Bug: #1712075
    Change-Id: I251f4f50578cd10da904a56e1622c18f2adf2d18
    (cherry picked from commit 0fac0d515a0cf5696a37dcde4fb2fdff88a8b537)