neutron

Wrong ordered fw_rules when set them into fw_policy

Bug #1671338 reported by zhaobo on 2017-03-09

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Won't Fix	Low	zhaobo

Bug Description

There are 3 sample fw_rules in server. And I expect the order is tcp - ping - denyany
openstack firewall group rule list
+--------------------------------------+---------+---------+------------------------------------------------+
| ID | Name | Enabled | Summary |
+--------------------------------------+---------+---------+------------------------------------------------+
| 563841d1-1ae7-4c74-9231-fab88d44a76c | denyany | True | ANY, |
| | | | source(port): none specified(none specified), |
| | | | dest(port): none specified(none specified), |
| | | | deny |
| ab93b257-9449-4545-b46b-8ec011df14e7 | ping | True | ICMP, |
| | | | source(port): 1.1.1.1(none specified), |
| | | | dest(port): none specified(none specified), |
| | | | reject |
| d53d4015-50e4-4fb2-ab0d-1f7231065012 | tcp | True | TCP, |
| | | | source(port): 2.2.2.2(2222), |
| | | | dest(port): none specified(none specified), |
| | | | deny |
+--------------------------------------+---------+---------+------------------------------------------------+
Then I set them into fw_policy as my expect order.
openstack firewall group policy set test --firewall-rule tcp
openstack firewall group policy set test --firewall-rule ping
openstack firewall group policy set test --firewall-rule denyany

But I saw the order had changed and the backend driver will apply the rules in the wrong order.
openstack firewall group policy list
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
| ID | Name | Firewall Rules |
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
| 1b93f923-daff-40cc-8145-a3267769f26d | test | [u'563841d1-1ae7-4c74-9231-fab88d44a76c', u'ab93b257-9449-4545-b46b-8ec011df14e7', u'd53d4015-50e4-4fb2-ab0d-1f7231065012'] |
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+

Currently, neutron-fwaas accept the arguments with full list of fw_rules on fw_policy create/update. So this must be a OSC bug.

Revision history for this message

Reedip (reedip-banerjee-deactivatedaccount) wrote on 2017-03-09:

#1

Hi zhaobo: The data is coming as an ordered list. I do not think this is an issue with OSC, will look into from the FWaaS side as well.

Changed in neutron:
assignee:	nobody → Reedip (reedip-banerjee)

Revision history for this message

zhaobo (zhaobo6) wrote on 2017-03-09:

#2

@reedip, I traced the issue from server side to client..hah..The server side is OK, it will process the ordered fw_rules according to the input fw_rule list. But it is OK that you could check the server side more careful if I miss something. :)

Revision history for this message

Reedip (reedip-banerjee-deactivatedaccount) wrote on 2017-03-09:

#3

Hi zhaobo :
Please check the paste information : http://paste.openstack.org/show/602045/

The issue arises from https://github.com/openstack/python-neutronclient/blob/master/neutronclient/osc/v2/fwaas/firewallpolicy.py#L63

The issue is the implementation of SET() in python :
>>> p=[1,5,3,6,2,4]
>>> set(p)
set([1, 2, 3, 4, 5, 6])
>>>

Python can change the order of the elements in a list when it is making a set from a list, for easier working.

Revision history for this message

Reedip (reedip-banerjee-deactivatedaccount) wrote on 2017-03-09:

#4

Sorrym wrong line number: https://github.com/openstack/python-neutronclient/blob/master/neutronclient/osc/v2/fwaas/firewallpolicy.py#L60

Revision history for this message

zhaobo (zhaobo6) wrote on 2017-03-09:

#5

I had introduced a patch to neutron-client.

https://review.openstack.org/#/c/442980/

I found CLI will change the order. I make the behavior like my understood. Please review if you have time. :P

Revision history for this message

zhaobo (zhaobo6) wrote on 2017-03-09:

#6

@reedip, Thank you very much. :)

Revision history for this message

Reedip (reedip-banerjee-deactivatedaccount) wrote on 2017-03-09:

#7

Hi zhaobo ,
I pushed a patch https://review.openstack.org/#/c/443518/1.
Didnt know you also created a patch yesterday.

Note: can you please link such patches early on, so that others can avoid duplicate patches?? :)
Saves effort

Changed in neutron:
assignee:	Reedip (reedip-banerjee) → zhaobo (zhaobo6)
status:	New → In Progress
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-12: Fix included in openstack/python-neutronclient 6.2.0

#8

This issue was fixed in the openstack/python-neutronclient 6.2.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-22: Fix included in openstack/python-neutronclient 6.1.1

#9

This issue was fixed in the openstack/python-neutronclient 6.1.1 release.

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2022-11-30:

#10

Bug closed due to lack of activity, please feel free to reopen if needed.

Changed in neutron:
status:	In Progress → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.