neutron

FWaaS: Invalid port error on associating L3 ports (Router in HA) to firewall group

Bug #1759773 reported by Sridar Kandaswamy on 2018-03-29

This bug report is a duplicate of: Bug #1762454: FWaaS: Invalid port error on associating ports (distributed router) to firewall group. Edit Remove

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Confirmed	Undecided	Sridar Kandaswamy

Bug Description

From: Ignazio Cassano:

I am trying to use fwaas v2 on centos 7 openstack ocata.
After creating firewall rules an policy I am looking for creating firewall
group .
I am able to create the firewall group, but it does not work when I try to
set the ports into it.

openstack firewall group set --port
87173e27-c2b3-4a67-83d0-d8645d9f309b prova
Failed to set firewall group 'prova': Firewall Group Port
87173e27-c2b3-4a67-83d0-d8645d9f309b is invalid
Neutron server returns request_ids:
['req-9ef8ad1e-9fad-4956-8aff-907c32d01e1f']

Tags:

Revision history for this message

Sridar Kandaswamy (skandasw) wrote on 2018-03-29:

I filed the bug on behalf of Ignazio and have confirmed the issue, to be due to the validation checks in the plugin for the device_owner. I am evaluating potential other issues on a HA scenario.

The port in question:

[root@podto1-osctrl01 ~]# openstack port show c8f6541f-5b47-49dd-a1dd-28d1310ced90 -f json
{
  "allowed_address_pairs": "",
  "extra_dhcp_opts": "",
  "updated_at": "2018-03-22T13:46:28Z",
  "device_owner": "network:ha_router_replicated_interface",
  "revision_number": 20,
  "port_security_enabled": true,
  "fixed_ips": "ip_address='10.138.136.19', subnet_id='284fe1de-fe62-4548-913d-fb8fca30c364'",
  "id": "c8f6541f-5b47-49dd-a1dd-28d1310ced90",
  "security_groups": "4d2fdd79-0f6c-4c26-a87b-a76b5d12901e",
  "option_value": null,
  "binding_vnic_type": "normal",
  "option_name": null,
  "description": "",
  "qos_policy_id": null,
  "mac_address": "fa:16:3e:03:10:f5",
  "project_id": "0e760ccde5d24af5a571de40220fbf80",
  "status": "ACTIVE",
  "binding_profile": "",
  "binding_vif_type": "ovs",
  "binding_vif_details": "ovs_hybrid_plug='True', port_filter='True'",
  "dns_assignment": "fqdn='host-10-138-136-19.openstacklocal.', hostname='host-10-138-136-19', ip_address='10.138.136.19'",
  "ip_address": null,
  "device_id": "7ddd5e26-59da-4c58-bbc3-c3a18e412d9c",
  "name": "",
  "admin_state_up": "UP",
  "network_id": "c4731392-9b91-4663-adb3-b10b5ebcc4f1",
  "dns_name": "",
  "created_at": "2018-03-21T16:34:11Z",
  "subnet_id": null,
  "binding_host_id": "podto1-osctrl02"
}

Changed in neutron:
status:	New → Confirmed
assignee:	nobody → Sridar Kandaswamy (skandasw)
tags:	added: fwaas

Revision history for this message

Chris Wright (chwright) wrote on 2018-05-18:

Can confirm the issue, for someone that knows the code better, is all that needs to be done the actual check from this line in fwaas_plugin_v2.py be updated:

if (device_owner not in [nl_constants.DEVICE_OWNER_ROUTER_INTF] and
not device_owner.startswith(
nl_constants.DEVICE_OWNER_COMPUTE_PREFIX)):

to include DEVICE_OWNER_HA_REPLICATED_INT ? will that work or is there other parts of the code that need to be changed (to insert the rules in each of the HA routers?)

Revision history for this message

Hyunsun Moon (hyunsun-moon) wrote on 2018-08-02:

any update on this bug?

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1762454 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.