FWaaS V2 failures with Ml2 is Linuxbridge or security group driver is iptables_hybrid

Bug #1746855 reported by Nguyen Phuong An
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Nguyen Phuong An

Bug Description

Current, FWaaS L2 driver based openvswitch only works correctly with vm ports, which are landed at compute nodes with mechanism driver is openvswtich. So if you try to add a vm port to a FWG, which is landed at compute nodes with mechanism driver is linuxbridge, then FWaaS API won't work.

Nguyen Phuong An (annp)
description: updated
Revision history for this message
Yushiro FURUKAWA (y-furukawa-2) wrote :

Yes, this is what An and I are working now on https://review.openstack.org/#/c/536234 .
@An, please change topic name of your patch.

Changed in neutron:
status: New → Confirmed
Nguyen Phuong An (annp)
description: updated
summary: - Fwaas V2 doesn't support Linuxbridge
+ FWaaS V2 doesn't support Linuxbridge
Nguyen Phuong An (annp)
Changed in neutron:
assignee: nobody → Nguyen Phuong An (annp)
summary: - FWaaS V2 doesn't support Linuxbridge
+ FWaaS V2 failures with Ml2 is Linuxbridge or security group driver is
+ iptables_hybrid
Changed in neutron:
importance: Undecided → High
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Jakub Libosvar (libosvar) wrote :

Is this an rc material?

Revision history for this message
Yushiro FURUKAWA (y-furukawa-2) wrote :

Hi Jakub. Yes, I hope this bug is in RC material.

Changed in neutron:
milestone: none → queens-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/536234
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=358c2edb53c9bfc8ad1d91d74f3a16a1a07fc502
Submitter: Zuul
Branch: master

commit 358c2edb53c9bfc8ad1d91d74f3a16a1a07fc502
Author: Nguyen Phuong An <email address hidden>
Date: Mon Jan 22 13:50:55 2018 +0700

    Validating if a port is supported by FWaaS L2 driver

    Currently, FWaaS L2 driver based OVS only works correctly with
    VM ports, which are landed at compute nodes with:
        * mechanism_drivers=openvswitch
        * firewall_driver=noop or openvswitch for security group

    If you try to add a VM port to a FWG, which is landed at compute
    nodes with:
        * mechanism_drivers=linuxbridge and firewall_driver=iptables
        * mechanism_drivers=openvswitch and firewall_driver=iptables_hybrid
    Then, FWaaS V2 API won't work correctly.

    So this patch validates if VM ports are supported fully by FWaaS L2
    driver at this moment. In the future, if FWaaS L2 driver can support
    not only hybrid port but also other ports, we can remove this validation.

    Change-Id: Ib0a85b55840d8dfe6bcae91484a0440902d3c49a
    Closes-Bug: #1746855

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-fwaas 12.0.0.0rc1

This issue was fixed in the openstack/neutron-fwaas 12.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.