FWaaS: Ip tables rules do not get updated in case of distributed virtual routers (DVR)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Sridar Kandaswamy |
Bug Description
I have set up an HA/DVR deployment of OpenStack Pike on Ubuntu 16.04 and enabled FWaaS v1. After applying the Fix from Bug #1715395, firewall rules get created in case of HA/DVR, but updates do not have any effect, e.g. when you disassociate a firewall from a distributed router.
Use Case:
1. Set up an HA/DVP deployment of OpenStack Pike.
2. Create a firewall rule.
$ neutron firewall-
Created a new firewall_rule:
+------
| Field | Value |
+------
| action | reject |
| description | |
| destination_
| destination_port | |
| enabled | True |
| firewall_policy_id | |
| id | 6c2516cb-
| ip_version | 4 |
| name | test-rule |
| position | |
| project_id | ed2d2efd86dd40e
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | ed2d2efd86dd40e
+------
3. Create a firewall policy.
$ neutron firewall-
Created a new firewall_policy:
+------
| Field | Value |
+------
| audited | False |
| description | |
| firewall_rules | 6c2516cb-
| id | 53a8d733-
| name | test-policy |
| project_id | ed2d2efd86dd40e
| shared | False |
| tenant_id | ed2d2efd86dd40e
+------
4. Create a firewall.
$ neutron firewall-create --name test-firewall test-policy
Created a new firewall:
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 53a8d733-
| id | a468caca-
| name | test-firewall |
| project_id | ed2d2efd86dd40e
| router_ids | |
| status | INACTIVE |
| tenant_id | ed2d2efd86dd40e
+------
5. Assign the firewall to a distributed router.
$ neutron firewall-update --router demo-router test-firewall
Updated firewall: test-firewall
6. Spawn a virtual machine and assign a floating ip.
7. Check namespaces on the compute node hosting the virtual machine.
$ ip netns
fip-4a3959c3-
qrouter-
8. Check ip tables rules in the router's namespace.
$ ip netns exec qrouter-
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-
Chain FORWARD (policy ACCEPT 40 packets, 2400 bytes)
pkts bytes target prot opt in out source destination
185 11100 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
185 11100 neutron-
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
185 11100 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
185 11100 neutron-
0 0 neutron-
39 2340 neutron-
0 0 neutron-
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xffff
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
39 2340 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * rfp-09a379b5-9 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/
0 0 DROP all -- * qr-2cd58562-ad 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/
9. Disassociate the firewall from the router.
$ neutron firewall-update --no-routers test-firewall
Updated firewall: test-firewall
10. Recheck ip tables rules within router's namespace.
$ ip netns exec qrouter-
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-
Chain FORWARD (policy ACCEPT 127 packets, 7668 bytes)
pkts bytes target prot opt in out source destination
698 41976 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
698 41976 neutron-
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
698 41976 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
698 41976 neutron-
99 5988 neutron-
366 21960 neutron-
99 5988 neutron-
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xffff
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
99 5988 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
366 21960 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * rfp-09a379b5-9 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/
0 0 DROP all -- * qr-2cd58562-ad 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/
11. The iptables rules "0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-
$ neutron firewall-show test-firewall
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 53a8d733-
| id | a468caca-
| name | test-firewall |
| project_id | ed2d2efd86dd40e
| router_ids | |
| status | INACTIVE |
| tenant_id | ed2d2efd86dd40e
+------
12. The "neutron-
May someone please have a look?
summary: |
- FWaaS: Ip tables rules do not get updated in case of distributed routers - (DVR) + FWaaS: Ip tables rules do not get updated in case of distributed virtual + routers (DVR) |
Changed in neutron: | |
assignee: | nobody → Reedip (reedip-banerjee) |
Actually its the other way round