neutron

DVR: FWaaS rules created for a router after the FIP and VM created, not applied to routers rfp port on router-update

Bug #1845557 reported by Swaminathan Vasudevan
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Unassigned

Bug Description

This was seen in Rocky.

When network, subnet, router and a VM instance created with a FloatingIP before attaching FireWall rules to the router, causes the Firewall rules not to be applied to the 'rfp' port for north-south routing when using Firewall-as-Service in legacy 'iptables' mode.

After applying the Firewall rules to the Router, it is expected that the router-update would trigger adding the Firewall rules to the existing routers, but the logic is not right.

Any new VMs added to the subnet on a new compute host, gets the Firewall rules applied to the 'rfp' interface.

So the only way to get around this problem is to restart the 'l3-agent'. Once the 'l3-agent' is restarted, the Firewall rules are applied again.

This is also true when Firewall rules are removed after the VM and routers are in place, since the update is not handled properly, the firewall rules may stay there until we reboot the l3-agent.

How to reproduce this problem:

This is FWaaS v2 with legacy 'iptables':

1. Create a Network
2. Create a Subnet
3. Create a Router (DVR)
4. Attach the Subnet to the router.
5. Assign the gateway to the router.
6. Create a VM on the given private network.
7. Create a FloatingIP and associate the FloatingIP to the VM's private IP.
8. Now the VM, router, fipnamespace are all in place.
9. Now create Firwall rules
 neutron firewall-rule-create --protocol icmp --action allow --name allow-icmp
 neutron firewall-rule-create --protocol tcp --destination-port 80 --action deny --name deny-http
 neutron firewall-rule-create --protocol tcp --destination-port 22 --action allow --name allow-ssh
10. Then create firewall policy
  neutron firewall-policy-create --firewall-rules "allow-icmp deny-http allow-ssh" policy-fw
11. Create a firewall
   neutron firewall-create policy-fw --name user-fw
12. Check if the firewall was created:
   neutron firewall-show user-fw
13. If the firewall was created after the router have been created, based on the documentation you need to manually update the router.
  $ neutron firewall-update —router <router-1-id> —router <router-2-id> <firewall-name>
14. After the update we would expect that all existing router-1 and router-2 to have the firewall rules.

But we don't see if configured for the router-1 that was created before the firewall was created.
And so the VM is not protected by the Firewall rules.

Swaminathan Vasudevan (swaminathan-vasudevan)
Changed in neutron:
assignee: nobody → Swaminathan Vasudevan (swaminathan-vasudevan)
status: New → Confirmed
summary: - DVR: FWaaS rules created for a router after the FIP and VM created not
- applied to routers rfp port
+ DVR: FWaaS rules created for a router after the FIP and VM created, not
+ applied to routers rfp port on router-update
Bence Romsics (bence-romsics)
Changed in neutron:
importance: Undecided → High
Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

This function call is the culprit for DVR routers.
https://github.com/openstack/neutron-fwaas/blob/stable/rocky/neutron_fwaas/services/firewall/fwaas_plugin.py#L177

The DVR routers are scheduled always to the network node but the routers on the compute hosts are created based on the requirement.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/686029

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (stable/rocky)

Reviewed: https://review.opendev.org/686029
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=20fd02611674da5365e93d06f330d1f76fd71e3e
Submitter: Zuul
Branch: stable/rocky

commit 20fd02611674da5365e93d06f330d1f76fd71e3e
Author: Swaminathan Vasudevan <email address hidden>
Date: Tue Oct 1 18:12:57 2019 +0000

    FWaaS-DVR: FWaaS rules not updated in DVR routers on compute host

    When a firewall is created after the routers have been deployed,
    we are supposed to manually do a firewall-update on specific routers
    where we wanted the firewall policy to be applied in the case of
    FWaaS-v1.
    But in the case of DVR routers, we have seen the firewall-update
    for routers that are deployed in the compute hosts are not getting
    propagated properly.
    The reason is the firewall update, firewall delete and firewall
    create events are not notified to all the respective router hosts.
    The original code only handles getting the host information from
    the routers that are scheduled to the l3 agent, but in the case of
    DVR routers, the routers are only scheduled to the network node l3
    agents and the other distributed routers on compute are created
    based on the service port binding.

    This bug is applicable only for FWaaS-v1 and the patch should be
    applied for Rocky release and below, since FWaaS-v1 is not supported
    in Stein and Train release.

    This patch fixes the problem described above by taking care of
    collecting all the hosts involved with DVR routers and notifying
    them.

    Change-Id: I7ef193baba9447d0f09cd9544cce9d05a956b920
    Closes-Bug: #1845557

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/686819

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.opendev.org/686820

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (stable/queens)

Reviewed: https://review.opendev.org/686819
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=eab443dc098c8b50d7540274e147058cd03275c8
Submitter: Zuul
Branch: stable/queens

commit eab443dc098c8b50d7540274e147058cd03275c8
Author: Swaminathan Vasudevan <email address hidden>
Date: Tue Oct 1 18:12:57 2019 +0000

    FWaaS-DVR: FWaaS rules not updated in DVR routers on compute host

    When a firewall is created after the routers have been deployed,
    we are supposed to manually do a firewall-update on specific routers
    where we wanted the firewall policy to be applied in the case of
    FWaaS-v1.
    But in the case of DVR routers, we have seen the firewall-update
    for routers that are deployed in the compute hosts are not getting
    propagated properly.
    The reason is the firewall update, firewall delete and firewall
    create events are not notified to all the respective router hosts.
    The original code only handles getting the host information from
    the routers that are scheduled to the l3 agent, but in the case of
    DVR routers, the routers are only scheduled to the network node l3
    agents and the other distributed routers on compute are created
    based on the service port binding.

    This bug is applicable only for FWaaS-v1 and the patch should be
    applied for Rocky release and below, since FWaaS-v1 is not supported
    in Stein and Train release.

    This patch fixes the problem described above by taking care of
    collecting all the hosts involved with DVR routers and notifying
    them.

    Change-Id: I7ef193baba9447d0f09cd9544cce9d05a956b920
    Closes-Bug: #1845557
    (cherry picked from commit 20fd02611674da5365e93d06f330d1f76fd71e3e)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-fwaas 12.0.2

This issue was fixed in the openstack/neutron-fwaas 12.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-fwaas 13.0.3

This issue was fixed in the openstack/neutron-fwaas 13.0.3 release.

Brian Haley (brian-haley)
Changed in neutron:
status: Confirmed → Fix Released
Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Swaminathan Vasudevan (swaminathan-vasudevan) → nobody
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-fwaas (stable/pike)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: stable/pike
Review: https://review.opendev.org/c/openstack/neutron-fwaas/+/686820
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.