neutron

FWaaS v2 fails to add ICMPv6 rules via horizon

Bug #1843025 reported by Lars Erik Pedersen on 2019-09-06

This bug report is a duplicate of: Bug #1799904: ICMPv6 is not an available protocol when creating Firewall-Rule. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	In Progress	High	Brian Haley

Bug Description

In rocky, FWaaS v2 fails to add the correct ip6tables rules for ICMPv6.

Steps to reproduce:
* Create rule with Protocol ICMP, IP version 6 in horizon
* Add the rule to a policy, and make sure the firewall group with that policy is attached to a port
* Login to the neutron network node that has the netns for your router and run ip6tables-save

Observe that your rule is added like:
-A neutron-l3-agent-iv63872a6fc -s 2001:db8:1d00:13::/64 -p icmp -j neutron-l3-agent-accepted

It should've added:
-A neutron-l3-agent-iv63872a6fc -s 2001:db8:1d00:13::/64 -p ipv6-icmp -j neutron-l3-agent-accepted

Ubuntu 18.04
neutron-l3-agent 2:13.0.4-0ubuntu1~cloud0
python-neutron-fwaas 1:13.0.2-0ubuntu1~cloud0

Tags:

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2019-09-06:

It seems that at least
neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/iptables_fwaas_v2.py should works fine if You have this patch:

https://github.com/openstack/neutron-fwaas/commit/fa48d16d694269b6b4245b90454448f8e9895ed8

Can You check what driver are You using and if You have this patch already?

tags:

added: fwaas

Revision history for this message

Lars Erik Pedersen (pedersen-larserik) wrote on 2019-09-06:

I have this:
driver=neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver

So that's the same driver, right? In that case maybe it's fixed in Stein? (and in bug 1843025)

Revision history for this message

Lars Erik Pedersen (pedersen-larserik) wrote on 2019-09-06:

Errr, I meant bug 1799904 of course ^

Revision history for this message

Brian Haley (brian-haley) wrote on 2019-09-06:

Yes, it should be fixed in Stein. And I just cherry-picked it to stable/rocky, https://review.opendev.org/#/c/680753/

Nate Johnston (nate-johnston) on 2019-09-09

Changed in neutron:
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Brian Haley (brian-haley)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1799904 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.