neutron

FWaaS v2 - incorrect shared rule check

Bug #1816740 reported by Salvatore Orlando
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Yushiro FURUKAWA

Bug Description

Reference: http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/db/firewall/v2/firewall_db_v2.py#n644

    def _check_if_rules_shared_for_policy_shared(self, context, fwp_db, fwp):
        if fwp['shared']:
            rules_in_db = fwp_db.rule_associations
            for entry in rules_in_db:
                fwr_db = self._get_firewall_rule(context,
                                                 entry.firewall_rule_id)
                if not fwp_db['shared']:
                    raise f_exc.FirewallPolicySharingConflict(
                        firewall_rule_id=fwr_db['id'],
                        firewall_policy_id=fwp_db['id'])

The logic above will always raise an exception if a policy is changed from not shared to shared. There is most likely a typo in:

if not fwp_db['shared']:

as it should be:

if not fwr_db['shared']:

Revision history for this message
Yushiro FURUKAWA (y-furukawa-2) wrote :

Thanks for filing a bug. Previously, I've been fixing such kind of bug.

Changed in neutron:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Yushiro FURUKAWA (y-furukawa-2) wrote :

Like https://review.openstack.org/#/c/488438/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/638394

Changed in neutron:
assignee: Salvatore Orlando (salvatore-orlando) → Yushiro FURUKAWA (y-furukawa-2)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/638394
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=9844e5e09cd10c45e7ec391a2f5af8b9fae1dd96
Submitter: Zuul
Branch: master

commit 9844e5e09cd10c45e7ec391a2f5af8b9fae1dd96
Author: Yushiro FURUKAWA <email address hidden>
Date: Thu Feb 21 20:01:56 2019 +0900

    Fix firewall rule 'shared' check in updating fwp

    This commit fixes 'shared' validation for existing firewall rules in
    updating firewall policy with 'non-shared' to 'shared'.

    Change-Id: I172632679f59e2aff79624753e1ef01f7ba1fdab
    Closes-Bug: #1816740

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/639573

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-fwaas 14.0.0.0b2

This issue was fixed in the openstack/neutron-fwaas 14.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (stable/rocky)

Reviewed: https://review.openstack.org/639573
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=2f55bd16ef070b0fc91d1b92591b399b6fd5802e
Submitter: Zuul
Branch: stable/rocky

commit 2f55bd16ef070b0fc91d1b92591b399b6fd5802e
Author: Yushiro FURUKAWA <email address hidden>
Date: Thu Feb 21 20:01:56 2019 +0900

    Fix firewall rule 'shared' check in updating fwp

    This commit fixes 'shared' validation for existing firewall rules in
    updating firewall policy with 'non-shared' to 'shared'.

    Change-Id: I172632679f59e2aff79624753e1ef01f7ba1fdab
    Closes-Bug: #1816740
    (cherry picked from commit 9844e5e09cd10c45e7ec391a2f5af8b9fae1dd96)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-fwaas 13.0.2

This issue was fixed in the openstack/neutron-fwaas 13.0.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.