fwaas: After deleting all routers or interfaces firewall status should not show as active
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Incomplete
|
Wishlist
|
Unassigned |
Bug Description
After deleting all routers firewall status should not show as active
From Admin tenant as well as user tenant, Firewall becomes active as per the below steps
1. create firewall (after creating firewall rule and policy)
2. create router
3. Add at least one network interface to the router
4. firewall becomes active
However from admin tenant, if we create router and then firewall , firewall becomes active without the need of adding any network interface to the router . but in this sequence of firewall creation, firewall becomes active in user tenant only after adding any interface to the router.
In both the above cases, firewall doesn't become inactive or down when deleting all the interfaces in the router or deleting all the router
Steps to Reproduce:
1. create firewall rule and attach it to the newly created firewall policy
2. create firewall with the above policy.
3. create router and attach any network interface
4. firewall becomes active
5. remove the network interface from router or delete the router
Actual Results:
firewall status shows as active
Expected results:
firewall status should show as DOWN
root@IGA-OSC:~# rid r1 55088e59-
Removed interface from router r1.
root@IGA-OSC:~# rid r1 fb8b1745-
Removed interface from router r1.
root@IGA-OSC:~# rd r1
Deleted router: r1
root@IGA-OSC:~# fws f1
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 9db0f412-
| id | 6422127f-
| name | f1 |
| status | ACTIVE |
| tenant_id | d9481c57a11c46e
+------
root@IGA-OSC:~# neutron router-list
Changed in neutron: | |
importance: | Undecided → Medium |
In the current FWaaS model, when a Firewall is created on a tenant - it is applied on all routers in the tenant. And if a new router gets added on the tenant, the firewall is added to that as well.
The FW plugin does not track the routers (or router interfaces) on the tenant in this implementation. So when router(s) is/are deleted on a tenant we cannot track this incremental change on the plugin. Ideally only when the last router (or router interface) is deleted - we would like to the drive the FWaaS state to a PENDING _DELETE and then move it to being DELETED.
While this support can be added, the eventual goal for FWaaS has always been to be aligned with the Service Insertion model. The current (deploy on all routers) is an artifact of the first implementation. Now that Service Insertion -https:/ /review. openstack. org/#/c/ 93128/ is being targeted for Juno, with this we will be able to validate the insertion points (be it Routers or Router Interfaces) and track any changes on these resources as well. So then this issue will not be relevant.