neutron

fwaas:Firewall in "active" status is not working when there is no external g/w to the router

Bug #1320775 reported by Rajkumar
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Rajesh Mohan
neutron 2014.2 "juno"
Icehouse
Fix Released
Undecided
Unassigned
neutron 2014.1.2

Bug Description

Steps to Reproduce:
                                   1. create two network connected to the router and each network having a VM
                                   2. create firewall rule of icmp deny
                                   3. attach the firewall rule to the policy
                                   4. Create firewall with that policy and check that firewall is active
                                   5. Try to ping from one vm to another vm.
Actual Results:
                                VM is able to ping even though firewall is active. However the ping fails as expected after creating external gateway to the router.
Expected Results:
                                It should fail since the firewall is active

Rajkumar (raj15)
tags: added: fwaas
Sumit Naiksatam (snaiksat)
Changed in neutron:
importance: Undecided → High
assignee: nobody → Sumit Naiksatam (snaiksat)
milestone: none → juno-1
Sumit Naiksatam (snaiksat)
Changed in neutron:
assignee: Sumit Naiksatam (snaiksat) → Rajesh Mohan (rajesh.mohan)
Revision history for this message
Rajesh Mohan (rajesh.mohan) wrote :

In process_router(), IPtables apply is deferred (as per commit message, this is done to improve performance).

https://github.com/openstack/neutron/blob/master/neutron/agent/l3_agent.py#L418

When ext_gw is present, it is turned off (to enable NAT rules). We could do something similar when firewall is enabled on the router.

Since Fwaas driver was originally designed as perimeter firewall, this was always tested with external gateway and we did not see this issue.

I will post a patch with apply_defer_off() in the firewall path.

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/94516

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/94516
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6167cb55e2f62a645487d66e52b809c9599b3bb8
Submitter: Jenkins
Branch: master

commit 6167cb55e2f62a645487d66e52b809c9599b3bb8
Author: Rajesh Mohan <email address hidden>
Date: Tue May 20 19:41:26 2014 -0700

    Do not defer IPTables apply in firewall path

    By default, iptables apply is deferred in L3 agent. For
    external gateways, iptables is applied immediately (to
    enable NAT for floating IP). Similarly, when firewall
    is created/updated/deleted, iptable rules are applies
    immediately.

    Change-Id: I4f652a030ae23a71a2e20af2e8ef0ad5b882b80e
    Closes-Bug: #1320775

Changed in neutron:
status: In Progress → Fix Committed
Sumit Naiksatam (snaiksat)
tags: added: icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/98206

Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/icehouse)

Reviewed: https://review.openstack.org/98206
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cd7a622d3b6a3c1d0e6d810993e2b78adb232b9a
Submitter: Jenkins
Branch: stable/icehouse

commit cd7a622d3b6a3c1d0e6d810993e2b78adb232b9a
Author: Rajesh Mohan <email address hidden>
Date: Tue May 20 19:41:26 2014 -0700

    Do not defer IPTables apply in firewall path

    By default, iptables apply is deferred in L3 agent. For
    external gateways, iptables is applied immediately (to
    enable NAT for floating IP). Similarly, when firewall
    is created/updated/deleted, iptable rules are applies
    immediately.

    Change-Id: I4f652a030ae23a71a2e20af2e8ef0ad5b882b80e
    Closes-Bug: #1320775
    (cherry picked from commit 6167cb55e2f62a645487d66e52b809c9599b3bb8)

tags: added: in-stable-icehouse
Chuck Short (zulcss)
tags: removed: icehouse-backport-potential
Thierry Carrez (ttx)
Changed in neutron:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.