neutron

[fwaas]wrong judgment in _is_supported_by_fw_l2_driver method

Bug #1798713 reported by Wang Weijia on 2018-10-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Low	Wang Weijia

Bug Description

Bug description:
the scenario:security group is enabled and its firewall_driver = openvswitch, fwaas is enabled and its firewall_l2_driver = noop(default).
If I create a new vm, default FWG will be bound on this vm's port automatically. However, firewall_l2_driver = noop and I don't want to use fwaas in L2.
This bug is caused by the judgment in _is_supported_by_fw_l2_driver method.

My environment is below:
[root@vm neutron]# cat plugins/ml2/openvswitch_agent.ini
[securitygroup]
firewall_driver = openvswitch
enable_security_group = true

[root@vm neutron]# cat l3_agent.ini
[DEFAULT]
verbose = true
interface_driver = openvswitch
agent_mode = dvr_snat

[agent]
extensions = fwaas_v2

[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True

Steps:
Create a new vm(port id: e822d587-5a4d-4124-9c31-a113d773cea8)

Here is every scenario of security group and fwaas:
|ID|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
|:-|:------------------|:---------------|:-----------------------------|
|1 |noop | openvswitch | True |
|2 |noop | others(*1) | False|
|3 |openvswitch | openvswitch | False |
|4 |openvswitch | others | True|

The correct is as follows:

|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
|:------------------|:---------------|:-----------------------------|
|noop | openvswitch | False|
|noop | others(*1) | False|
|openvswitch | openvswitch | False |
|openvswitch | others | True |

Revision history for this message

Wang Weijia (wangweij) wrote on 2018-10-19:

I found when we create a new vm, at least one security group will be use on this vm if security group is enabled(even you configure no security group, default security group will also used on this vm).
So if port['security_groups'] is none, I can judge security group is disabled. If ovs_hybrid_plug is False and binding_vif_type is True, I can validate that this port's VIF_TYPE_OVS must be configured by fwaas_l2_driver.

I have commite a patch :
https://review.openstack.org/#/c/605988

Yushiro FURUKAWA (y-furukawa-2) on 2018-10-22

Changed in neutron:
assignee:	nobody → Wang Weijia (wangweij)
importance:	Undecided → Low
status:	New → Confirmed

OpenStack Infra (hudson-openstack) on 2018-10-23

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

Yushiro FURUKAWA (y-furukawa-2) wrote on 2018-10-24:

First of all, "firewall_l2_driver" parameter is not for controling default FWG behavior but configuring firewall group L2 driver. We've implemented that default FWG is not as an optional feature but basic one. Therefore, I don't think it's a bug. Do you want to disable default FWG association? If so, please file a new bug-report as "RFE" and your motivation/use-case. Thanks.

In addition, we're trying to "ovs" as a default firewall L2 driver[1]

[1]https://review.openstack.org/#/c/605866/

Changed in neutron:
status:	In Progress → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-16: Change abandoned on neutron-fwaas (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/605988
Reason: As we are going to deprecate master branch in this project this patch is not needed anymore.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.