neutron

Firewall remain in active state even after deleting router associated with firewall

Bug #1503595 reported by ranjitray
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
High
Unassigned

Bug Description

Steps to Reproduce:
==================
1. Create a network,subnet,router and add router interface
2. Create firewall rule
3. Create firewall Policy with the above firewall rule
4. Create firewall with above policy
And make above route set to the firewall.

5. Then delete the router attached to the firewall and check the status of the firewall

Issue :
  Firewall remain in ACTIVE state even though router id field is blank while getting the details of the firewall
{code}
stack@stevens-creek:~/firewall$ neutron firewall-list
+--------------------------------------+---------+--------------------------------------+
| id | name | firewall_policy_id |
+--------------------------------------+---------+--------------------------------------+
| 71746ed4-4e12-48c6-8db5-31543276058e | user-fw | 320f68ea-4947-484d-af32-5ead4f368348 |
+--------------------------------------+---------+--------------------------------------+
stack@stevens-creek:~/firewall$ neutron firewall-show user-fw
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 320f68ea-4947-484d-af32-5ead4f368348 |
| id | 71746ed4-4e12-48c6-8db5-31543276058e |
| name | user-fw |
| router_ids | |
| status | ACTIVE |
| tenant_id | 84dc1f66b8b34fb2a48e2dce7031f279 |
+--------------------+--------------------------------------+
stack@stevens-creek:~/firewall$
{code}

Expected :

  Firewall state should change to either pending or error state.

Tags: fwaas
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Indeed update_firewall_routers() does not update status field for Firewall model if router_ids are empty.

Changed in neutron:
status: New → Confirmed
importance: Undecided → Medium
PrasannaaTS (tsprasannaa83)
Changed in neutron:
assignee: nobody → PrasannaaTS (tsprasannaa83)
German Eichberger (german-eichberger)
Changed in neutron:
importance: Medium → High
Revision history for this message
Manjeet Singh Bhatia (manjeet-s-bhatia) wrote :

seems like no activity for more than 2 months ? i am assigning this to me.

Changed in neutron:
assignee: PrasannaaTS (tsprasannaa83) → Manjeet Singh Bhatia (manjeet-s-bhatia)
Revision history for this message
Manjeet Singh Bhatia (manjeet-s-bhatia) wrote :

i don't see this issue with devstack single node its updating status properly.

I think its resolved I wanted to mark this invalid but seems like only supervisor can do that.

either you need to provide more info which branch, how many nodes are you using. or that is fixed or invalid

Changed in neutron:
status: Confirmed → Fix Released
Revision history for this message
Sean M. Collins (scollins) wrote :

I'll set this to incomplete - to see if the reporter can come back and verify. There may have been a related fix that resolved this, but was not linked to this bug.

Changed in neutron:
status: Fix Released → Incomplete
Revision history for this message
Manjeet Singh Bhatia (manjeet-s-bhatia) wrote :

http://paste.openstack.org/show/489751/

this is what i am getting

Revision history for this message
Bao Fangyan (baofangyan) wrote :

Hi,scollins,manjeet-s-bhatia:
IMO,the reporter means that when the last router associated with the firewall is deleted(not disassciated),the status of the firewall still stays ACTIVE.
I can reproduce it in master branch as follows:
1.create firewall1 and associated it with router1:
$neutron firewall-show firewall1
+--------------------+--------------------------------------+
| Field | Value |
 +--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | b971b5ba-1c8a-41c7-b9d0-ceb27ed5223d |
| id | e02f3586-073f-4b79-b8b2-be90a6d39b2f |
| name | firewall1 |
| router_ids | b10c055c-898b-4dc5-a731-cc252601dd5a |
| status | ACTIVE |
| tenant_id | a31def0865924f15a31ffcc2985ef985 |
 +--------------------+--------------------------------------+

2.delete router1,check the status of firewall1:
$neutron router-show b10c055c-898b-4dc5-a731-cc252601dd5a
Unable to find router with name or id 'b10c055c-898b-4dc5-a731-cc252601dd5a'
$ neutron firewall-show firewall1
+--------------------+--------------------------------------+
| Field | Value |
 +--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | b971b5ba-1c8a-41c7-b9d0-ceb27ed5223d |
| id | e02f3586-073f-4b79-b8b2-be90a6d39b2f |
| name | firewall1 |
| router_ids | |
| status | ACTIVE |
| tenant_id | a31def0865924f15a31ffcc2985ef985 |
 +--------------------+--------------------------------------+

The operation of delete router can be done with dashboard[1],it will automatically remove internal interfaces on router delete.With CLI,it can be done only when it has no internal interfaces.

Although it has little influences on the actual function,the status is confusing.
Maybe we should update the status of firewall or just make some constraints in Horizon.

[1]https://review.openstack.org/#/c/132742/

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Do we still expect to fix bugs to an implementation that is meant to be supplanted?

Changed in neutron:
status: Incomplete → Won't Fix
assignee: Manjeet Singh Bhatia (manjeet-s-bhatia) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.