[FWaaS]Firewall rule for fip's DNAT traffic, destination address should be this fip
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
Bug description:
When we write a firewall group rule which limit fip's DNAT traffic, for example we want to accept the traffic into a VM binding a fip, the rule's destination address should be VM's intranet IP address (not fip IP address) currently.
However if we associate this fip to other VM, the before firewall group rule will be wrong because we just want to restrict the traffic into this fip. We have to change the firewall group rule's destination address to another VM 's intranet IP.
So everytime we change fip association, we should change firewall group rule's destination address.
Analysis:
Iptables process DNAT on PREROUTING chain in nat table, which process before FORWARD chain in filter table.
So if we write a firewall rule to limit fip's DNAT traffic , the destination address must be a intranet IP.
Essentially, if we want to write a firewall group rule to limit a IP's the DNAT traffic, we can only limit a intranet IP address, not a fip's IP address.
Scenario:
We want to access the traffic to a fip's (166.166.166.5) 80 port:
1.Associate a fip 166.166.166.5 on a VM(intranet IP:192.168.1.10)
2.create a firewall group, policy and rule
3.associate the fwg to router(
[root@vm ~]# openstack firewall group rule show 055af78e-
+------
| Field | Value |
+------
| Action | allow |
| Description | |
| Destination IP Address | 192.168.1.10 |
| Destination Port | 80 |
| Enabled | True |
| ID | 055af78e-
| IP Version | 4 |
| Name | in-192.
| Project | 9355437b66f64e8
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | [u'3996f090-
| project_id | 9355437b66f64e8
+------
#3996f090-
[root@vm ~]# ip netns exec snat-0cbd237f-
-A neutron-
[root@vm ~]# ip netns exec snat-0cbd237f-
-A neutron-
4.Associate the fip 166.166.166.5 to another VM(intranet IP:192.168.1.11)
[root@vm ~]# ip netns exec snat-0cbd237f-
-A neutron-
[root@vm ~]# ip netns exec snat-0cbd237f-
-A neutron-
5.This firewall rule lose efficacy
Thanks for the report and the steps to repro, can you share config details and versions which experience the issue?