Wrong ordered fw_rules when set them into fw_policy

Bug #1671338 reported by zhaobo on 2017-03-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Low
zhaobo

Bug Description

There are 3 sample fw_rules in server. And I expect the order is tcp - ping - denyany
openstack firewall group rule list
+--------------------------------------+---------+---------+------------------------------------------------+
| ID | Name | Enabled | Summary |
+--------------------------------------+---------+---------+------------------------------------------------+
| 563841d1-1ae7-4c74-9231-fab88d44a76c | denyany | True | ANY, |
| | | | source(port): none specified(none specified), |
| | | | dest(port): none specified(none specified), |
| | | | deny |
| ab93b257-9449-4545-b46b-8ec011df14e7 | ping | True | ICMP, |
| | | | source(port): 1.1.1.1(none specified), |
| | | | dest(port): none specified(none specified), |
| | | | reject |
| d53d4015-50e4-4fb2-ab0d-1f7231065012 | tcp | True | TCP, |
| | | | source(port): 2.2.2.2(2222), |
| | | | dest(port): none specified(none specified), |
| | | | deny |
+--------------------------------------+---------+---------+------------------------------------------------+
Then I set them into fw_policy as my expect order.
openstack firewall group policy set test --firewall-rule tcp
openstack firewall group policy set test --firewall-rule ping
openstack firewall group policy set test --firewall-rule denyany

But I saw the order had changed and the backend driver will apply the rules in the wrong order.
openstack firewall group policy list
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
| ID | Name | Firewall Rules |
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
| 1b93f923-daff-40cc-8145-a3267769f26d | test | [u'563841d1-1ae7-4c74-9231-fab88d44a76c', u'ab93b257-9449-4545-b46b-8ec011df14e7', u'd53d4015-50e4-4fb2-ab0d-1f7231065012'] |
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+

Currently, neutron-fwaas accept the arguments with full list of fw_rules on fw_policy create/update. So this must be a OSC bug.

Reedip (reedip-banerjee) wrote :

Hi zhaobo: The data is coming as an ordered list. I do not think this is an issue with OSC, will look into from the FWaaS side as well.

Changed in neutron:
assignee: nobody → Reedip (reedip-banerjee)
zhaobo (zhaobo6) wrote :

@reedip, I traced the issue from server side to client..hah..The server side is OK, it will process the ordered fw_rules according to the input fw_rule list. But it is OK that you could check the server side more careful if I miss something. :)

Reedip (reedip-banerjee) wrote :

Hi zhaobo :
Please check the paste information : http://paste.openstack.org/show/602045/

The issue arises from https://github.com/openstack/python-neutronclient/blob/master/neutronclient/osc/v2/fwaas/firewallpolicy.py#L63

The issue is the implementation of SET() in python :
>>> p=[1,5,3,6,2,4]
>>> set(p)
set([1, 2, 3, 4, 5, 6])
>>>

Python can change the order of the elements in a list when it is making a set from a list, for easier working.

zhaobo (zhaobo6) wrote :

I had introduced a patch to neutron-client.

https://review.openstack.org/#/c/442980/

I found CLI will change the order. I make the behavior like my understood. Please review if you have time. :P

zhaobo (zhaobo6) wrote :

@reedip, Thank you very much. :)

Reedip (reedip-banerjee) wrote :

Hi zhaobo ,
I pushed a patch https://review.openstack.org/#/c/443518/1.
Didnt know you also created a patch yesterday.

Note: can you please link such patches early on, so that others can avoid duplicate patches?? :)
Saves effort

Changed in neutron:
assignee: Reedip (reedip-banerjee) → zhaobo (zhaobo6)
status: New → In Progress
importance: Undecided → Low

This issue was fixed in the openstack/python-neutronclient 6.2.0 release.

This issue was fixed in the openstack/python-neutronclient 6.1.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers