[5.0 Vro ]Firewall Policy rules not getting into effect

Bug #1781621 reported by aswani kumar on 2018-07-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R5.0
Fix Released
Critical
Magda Zaremba
Trunk
Fix Committed
Critical
Magda Zaremba

Bug Description

created two firewall policy rules
1) deny icmp:any:any EP1:global:tier=logic <> EP2:global:tier=db Deployment
2) deny icmp:any:any EP1:global:tier=web <> EP2:global:tier=logic Deployment
3)Added these rules to Firewall policy p1
4)attached policy to APS aps1 with application tag Finance to it

ping between vms from web to logic and from logic to db is passing instead of failing

Found that rule sequence numbers were missing when we attach rules to policy
And also when we attach policies to application policy set

Created same scenario from webui and it is working as expected and ping is failing

This is the following diff when we attach rules to policy and policy to aps

Application policy set firewall policy refs
Created from vro
firewall_policy_refs: [
{
to: [
"default-policy-management",
"pol1"
],
href: "http://nodec54:8082/firewall-policy/13d6a6a7-f216-4792-b93c-190253f6af3e",
attr: null,-àpolicy sequence number missing
uuid: "13d6a6a7-f216-4792-b93c-190253f6af3e"
}

Created from webui
firewall_policy_refs: [
{
to: [
"default-policy-management",
"pol1"
],
href: "http://nodec54:8082/firewall-policy/13d6a6a7-f216-4792-b93c-190253f6af3e",
attr: {
sequence: "0"
},
uuid: "13d6a6a7-f216-4792-b93c-190253f6af3e"
},
{
to: [
"default-policy-management",
"p2"
],
href: "http://nodec54:8082/firewall-policy/21ef26cb-902a-4074-bf9d-eeec79db26a2",
attr: {
sequence: "1"
},
uuid: "21ef26cb-902a-4074-bf9d-eeec79db26a2"
}
],

Firewall policy with firewall rule refs
Created from vro
firewall_rule_refs: [
{
to: [
"default-policy-management",
"1de0d5fc-f407-49c9-9ea4-5dbb89f7c77f"
],
href: "http://nodec54:8082/firewall-rule/d83699a8-f679-4ab1-8de8-bbf49f8a09e8",
attr: null, -àrule sequence number missing
uuid: "d83699a8-f679-4ab1-8de8-bbf49f8a09e8"
}
],

Created from webui
firewall_rule_refs: [
{
to: [
"default-policy-management",
"5cabca73-d62d-4a5d-a835-aaf6e2b9297b"
],
href: "http://nodec54:8082/firewall-rule/82286e96-99fc-4e0f-aa9d-ff8b4efb2f09",
attr: {
sequence: "0"
},
uuid: "82286e96-99fc-4e0f-aa9d-ff8b4efb2f09"
},
{
to: [
"default-policy-management",
"1de0d5fc-f407-49c9-9ea4-5dbb89f7c77f"
],
href: "http://nodec54:8082/firewall-rule/d83699a8-f679-4ab1-8de8-bbf49f8a09e8",
attr: {
sequence: "1"
},
uuid: "d83699a8-f679-4ab1-8de8-bbf49f8a09e8"
}
],

tags: added: vmware

Review in progress for https://review.opencontrail.org/44667
Submitter: Magda (<email address hidden>)

Review in progress for https://review.opencontrail.org/44668
Submitter: Magda (<email address hidden>)

Review in progress for https://review.opencontrail.org/44667
Submitter: Magda (<email address hidden>)

Review in progress for https://review.opencontrail.org/44668
Submitter: Magda (<email address hidden>)

Reviewed: https://review.opencontrail.org/44667
Committed: http://github.com/Juniper/contrail-vro-plugin/commit/f0a313e105bebf9a9b62f56232fb6d551e99d378
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit f0a313e105bebf9a9b62f56232fb6d551e99d378
Author: Magda Zaremba <email address hidden>
Date: Mon Jul 16 17:48:29 2018 +0200

Add firewall sequence number when adding relations

Change-Id: I026b5288b56c926c06ebe332c332ae65e56658d6
Closes-Bug: #1781621

Review in progress for https://review.opencontrail.org/44668
Submitter: Magda (<email address hidden>)

Reviewed: https://review.opencontrail.org/44668
Committed: http://github.com/Juniper/contrail-vro-plugin/commit/1df4958114e7a4a01c9b8fe6b55d8038341f5f1f
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 1df4958114e7a4a01c9b8fe6b55d8038341f5f1f
Author: Magda Zaremba <email address hidden>
Date: Mon Jul 16 17:48:29 2018 +0200

Add firewall sequence number when adding relations

Change-Id: I026b5288b56c926c06ebe332c332ae65e56658d6
Closes-Bug: #1781621

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers