neutron

'auto_associate_default_firewall_group' got an error when new port is created

Bug #1746404 reported by Yushiro FURUKAWA
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
chandan dutta chowdhury
neutron queens-rc1

Bug Description

If we create new port(binded somewhere) with following condition, an Error occurred.

Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: DEBUG neutron_fwaas.db.firewall.v2.firewall_db_v2 [None req-f3c0994c-1547-410a-8bf8-b4b459e0dfba None None] get_firewall_group() called {{(
pid=25213) get_firewall_group /opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/v2/firewall_db_v2.py:1080}}
Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: ERROR neutron_lib.callbacks.manager [None req-f3c0994c-1547-410a-8bf8-b4b459e0dfba None None] Error during notification for neutron_fwaas.s
ervices.firewall.fwaas_plugin_v2.FirewallPluginV2.handle_create_port_event--9223372036854763926 port, after_create: PortNotFound: Port c could not be found.

It was due to as follows:

1. Validation is missing that created port is for VM or not
2. It should be a list of port ID, but string of ID of port

[How to reproduce]
1. Deploy devstack with the latest with q-fwaas-v2
2. Configure following settings
   (/etc/neutron/neutron_fwaas.conf)
    [fwaas]
      auto_associate_default_firewall_group = True
3. Restart q-svc
4. Run following command

    $ neutron net-create test
    $ neutron subnet-create test 11.11.11.0/24

Then, DHCP port will be created and an error occurred on q-svc. You can see

    $ sudo journalctl -f -u <email address hidden>

Tags: fwaas
Yushiro FURUKAWA (y-furukawa-2)
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/539461

Nguyen Phuong An (annp)
Changed in neutron:
assignee: nobody → Nguyen Phuong An (annp)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Nguyen Phuong An (annp) → Yushiro FURUKAWA (y-furukawa-2)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Yushiro FURUKAWA (y-furukawa-2) → chandan dutta chowdhury (chandanc)
Jakub Libosvar (libosvar)
Changed in neutron:
milestone: none → queens-rc1
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: chandan dutta chowdhury (chandanc) → Yushiro FURUKAWA (y-furukawa-2)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Yushiro FURUKAWA (y-furukawa-2) → chandan dutta chowdhury (chandanc)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/539461
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=66d4431f990b2da0d3b42493a499ab67e9a0020a
Submitter: Zuul
Branch: master

commit 66d4431f990b2da0d3b42493a499ab67e9a0020a
Author: Nguyen Phuong An <email address hidden>
Date: Wed Jan 31 14:54:53 2018 +0700

    Remove disable option for default FWG and allow only on VM ports

    Currently, auto associate default FWG works only one time and the logic
    is broken if the new port is a DHCP port or router port. This patch
    fixes the problem by validating if a port is a VM port or not,
    ignores port binding failed or unbound and also adds trusted port
    handling. In addition, for security perspective,
    'auto_associate_default_firewall_group' CfgOpt is no longer used.
    Automatic association with default firewall group with VM port
    works by default.

    Closes-Bug: #1746404
    Co-Authored-By: Yushiro FURUKAWA<email address hidden>
    Co-Authored-By: Chandan Dutta Chowdhury<email address hidden>
    Change-Id: Ib567c0e0333335a99b851162d87f17f1a8ceb2dd

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-fwaas 12.0.0.0rc1

This issue was fixed in the openstack/neutron-fwaas 12.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.