neutron

Can not clear source or dest port (range) for existing firewall rule

Bug #1651420 reported by Jesse
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Undecided
Jesse

Bug Description

We need to give user a way to update firewall rule to clear source or dest port (range).

We can create a firewall-rule with source-ip-address and destination-ip-address set, for example:
[root@node-1 ~]# neutron firewall-rule-create --source-ip-address 0.0.0.0/0 --source-port 1234 --destination-ip-address 192.168.2.0/24 --destination-port 22 --protocol tcp --action allow
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | allow |
| description | |
| destination_ip_address | 192.168.2.0/24 |
| destination_port | 22 |
| enabled | True |
| firewall_policy_id | |
| id | f44e6557-7d1b-44f0-a5e6-aad2e77c9ad1 |
| ip_version | 4 |
| name | |
| position | |
| protocol | tcp |
| shared | False |
| source_ip_address | 0.0.0.0/0 |
| source_port | 1234 |
| tenant_id | e8cf9c9245f24f209263465bcb2cc8c4 |
+------------------------+--------------------------------------+
If we want to update this rule, and don't want set source_port or destination_port, we can not done it for now.

I expect to clear the source_port by using following command:
[root@node-1 ~]# neutron firewall-rule-update 47cd4350-6c9e-4803-bda7-749774d36dcc --source-port ''
Updated firewall_rule: 47cd4350-6c9e-4803-bda7-749774d36dcc
[root@node-1 ~]# neutron firewall-rule-show 47cd4350-6c9e-4803-bda7-749774d36dcc
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | allow |
| description | |
| destination_ip_address | 192.168.2.0/24 |
| destination_port | 22 |
| enabled | True |
| firewall_policy_id | |
| id | 47cd4350-6c9e-4803-bda7-749774d36dcc |
| ip_version | 4 |
| name | |
| position | |
| protocol | tcp |
| shared | False |
| source_ip_address | 0.0.0.0/0 |
| source_port | |
| tenant_id | e8cf9c9245f24f209263465bcb2cc8c4 |
+------------------------+--------------------------------------+

See original description
Tags: fwaas
Jesse (jesse-5)
Changed in neutron:
assignee: nobody → Jesse (jesse-5)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/413057

Changed in neutron:
status: New → In Progress
John Davidge (john-davidge)
tags: added: fwaas
Revision history for this message
John Davidge (john-davidge) wrote :

This sounds like an enhancement request to me, but we need more information about the change you'd like to see and why it's needed. Please see:

http://docs.openstack.org/developer/neutron/policies/bugs.html#bug-report-template

Changed in neutron:
status: In Progress → Incomplete
Jesse (jesse-5)
description: updated
Revision history for this message
Reedip (reedip-banerjee-deactivatedaccount) wrote :

1) You can always create a new firewall rule ( as a work around )
2) There is a provision to update Source and Destination ports in FWaaS v1 and v2 [1][2]
3) Besides, this is also being taken care in neutron-fwaas 's OSC implementation and not in the neutronclient implementation.[3]

[1]https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/extensions/firewall.py#L283
[2]: https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/extensions/firewall_v2.py#L219
[3]: https://review.openstack.org/#/c/351582/38/neutronclient/osc/v2/fwaas/firewallrule.py@355

Revision history for this message
Jesse (jesse-5) wrote :

Hi @Reedip, yes we can update the Source and Destination ports , but we can not update it to null.

Revision history for this message
Reedip (reedip-banerjee-deactivatedaccount) wrote :

Hey Jesse,
That functionality will be provided in the OpenstackCLient's Firewall implementation ( Unset Command )

That would solve this issue , hopefully

Revision history for this message
Jesse (jesse-5) wrote :

Hi Reedip,
Using unset command in OpenStackClient is a good way, but the neutron server side should be update
 to support the unset, and my patch try to update the neutron server side. :)

Revision history for this message
Reedip (reedip-banerjee-deactivatedaccount) wrote :

Hi Jesse,
You can set it to None.
If we do not provide SRC and DEST port, then it defaults to None
https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/extensions/firewall_v2.py#L229

So I think the Unset action of OpenstackClient can easily send the request to set Src Port and Dest Port to None and thus proceed forward with the functionality you want.

Revision history for this message
Jesse (jesse-5) wrote :

Hi Reedip,
If we want to update source_port in rule, we need to provide source_port in REST, then neutron-fwaas will update the source_port. If there is no source_port in REST, neutron-fwaas will not update the source_port.
https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/db/firewall/v2/firewall_db_v2.py#L361

If we provide source_port in REST, we can only provide number now.

Revision history for this message
Jesse (jesse-5) wrote :

Hi Reedip,
sorry, I didn't notice that the json allow null value to set, like this:
curl -g -i -X PUT http://172.30.0.2:9696/v2.0/fw/firewall_rules/47cd4350-6c9e-4803-bda7-749774d36dcc.json -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}3afadc514e8f5b4b537b4dd0034706a15270dc20" -d '{"firewall_rule": {"source_port": null, "destination_port": null}}'

Now the issue is that neutronclient do not take care of the null set for source_port and destination_port. :)
We can update it in OSC.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-fwaas (master)

Change abandoned by Jesse (<email address hidden>) on branch: master
Review: https://review.openstack.org/413057
Reason: We can set null in REST json to source_port and destination_port to clear firewall rule source or dest port (range).

Now we need to update neutronclient or openstackclient to allow source or dest port (range) to be set to null.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Bug closed due to lack of activity, please feel free to reopen if needed.

Changed in neutron:
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.