[fwaas]wrong judgment in _is_supported_by_fw_l2_driver method
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Low
|
Wang Weijia |
Bug Description
Bug description:
the scenario:security group is enabled and its firewall_driver = openvswitch, fwaas is enabled and its firewall_l2_driver = noop(default).
If I create a new vm, default FWG will be bound on this vm's port automatically. However, firewall_l2_driver = noop and I don't want to use fwaas in L2.
This bug is caused by the judgment in _is_supported_
My environment is below:
[root@vm neutron]# cat plugins/
[securitygroup]
firewall_driver = openvswitch
enable_
[root@vm neutron]# cat l3_agent.ini
[DEFAULT]
verbose = true
interface_driver = openvswitch
agent_mode = dvr_snat
[agent]
extensions = fwaas_v2
[fwaas]
agent_version = v2
driver = neutron_
enabled = True
Steps:
Create a new vm(port id: e822d587-
Then default firewall group was bound on vm's port automatically:
[root@vm neutron]# openstack firewall group show 7a5265b4-
+------
| Field | Value |
+------
| Description | Default firewall group |
| Egress Policy ID | 1747c29b-
| ID | 7a5265b4-
| Ingress Policy ID | 5d3cfbff-
| Name | default |
| Ports | [u'e822d587-
| Project | 9355437b66f64e8
| Shared | False |
| State | UP |
| Status | ACTIVE |
| project_id | 9355437b66f64e8
+------
Here is every scenario of security group and fwaas:
|ID|firewall_
|:-|:--
|1 |noop | openvswitch | True |
|2 |noop | others(*1) | False|
|3 |openvswitch | openvswitch | False |
|4 |openvswitch | others | True|
The correct is as follows:
|firewall_l2_driver | security_group | _is_supported_
|:-----
|noop | openvswitch | False|
|noop | others(*1) | False|
|openvswitch | openvswitch | False |
|openvswitch | others | True |
Changed in neutron: | |
assignee: | nobody → Wang Weijia (wangweij) |
importance: | Undecided → Low |
status: | New → Confirmed |
Changed in neutron: | |
status: | Confirmed → In Progress |
I found when we create a new vm, at least one security group will be use on this vm if security group is enabled(even you configure no security group, default security group will also used on this vm). groups' ] is none, I can judge security group is disabled. If ovs_hybrid_plug is False and binding_vif_type is True, I can validate that this port's VIF_TYPE_OVS must be configured by fwaas_l2_driver.
So if port['security_
I have commite a patch : /review. openstack. org/#/c/ 605988
https:/