neutron

The iptables rules are covered when add a port from the FW group

Bug #1843359 reported by yuanshuo on 2019-09-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	In Progress	Undecided	yuanshuo

Bug Description

Creating a firewall group with policies and 1 interface ports.
The chain of iptables for neutron-l3-agent-FORWARD is：
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
1000K 84M neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
   31 2596 neutron-l3-agent-iv4c863a246 all -- * qr-82367b84-06 0.0.0.0/0 0.0.0.0/0
   31 2596 neutron-l3-agent-ov4c863a246 all -- qr-82367b84-06 * 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- * qr-82367b84-06 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- qr-82367b84-06 * 0.0.0.0/0 0.0.0.0/0

Now add 1 of the ports using:
openstack firewall group set --port <port-id> <fwg>
The chain of iptables for neutron-l3-agent-FORWARD is：
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
1001K 84M neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-iv4c863a246 all -- * qr-59aa1514-36 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-ov4c863a246 all -- qr-59aa1514-36 * 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- * qr-59aa1514-36 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- qr-59aa1514-36 * 0.0.0.0/0 0.0.0.0/0

Tags:

yuanshuo (yush2009) on 2019-09-10

Changed in neutron:
assignee:	nobody → yuanshuo (yush2009)
tags:	added: fwaas

yuanshuo (yush2009) on 2019-09-10

information type:

Private Security → Public

yuanshuo (yush2009) on 2019-09-11

Changed in neutron:
status:	New → In Progress

Revision history for this message

Miguel Lavalle (minsel) wrote on 2019-09-14:

Thanks for your submission. Would you please provide more details:

1) What is the expected functionality and how the observed functionality is different?

2) What version of FWaaS and Neutron are you using?

Changed in neutron:
status:	In Progress → Incomplete

Revision history for this message

yuanshuo (yush2009) wrote on 2019-09-17:

1.
[root@test25g04 yuanshuo1]# openstack port list --network ys-network2 --device-owner network:router_interface
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| 59aa1514-3603-4f31-89e2-e004f0a11c1e | | fa:16:3e:8f:89:f3 | ip_address='192.168.1.1', subnet_id='b6e05212-a76a-4e34-aec7-7d99e485610b' | ACTIVE |
| 82367b84-064e-43e2-b907-b2bcddb1d5c3 | | fa:16:3e:7e:77:a3 | ip_address='192.168.2.1', subnet_id='588bfa7d-a1ff-4ba0-9b4f-9f2003c1c706' | ACTIVE |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
First creating a firewall group with policies and 1 interface port 82367b84-064e-43e2-b907-b2bcddb1d5c3.
And then add 1 of the port 59aa1514-3603-4f31-89e2-e004f0a11c1e with the firewall group, the following rules are covered:
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
1000K 84M neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
   31 2596 neutron-l3-agent-iv4c863a246 all -- * qr-82367b84-06 0.0.0.0/0 0.0.0.0/0
   31 2596 neutron-l3-agent-ov4c863a246 all -- qr-82367b84-06 * 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- * qr-82367b84-06 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- qr-82367b84-06 * 0.0.0.0/0 0.0.0.0/0
So the rule not in effect for port 82367b84-064e-43e2-b907-b2bcddb1d5c3.
2.The version of FWaaS and Neutron is Stein.

Revision history for this message

yuanshuo (yush2009) wrote on 2019-09-19:

The version of FWaaS is python2-neutron-fwaas-14.0.0-1.el7.noarch.
The version of Neutron is openstack-neutron-14.0.2-1.el7.noarch.

yuanshuo (yush2009) on 2019-10-09

Changed in neutron:
assignee:	yuanshuo (yush2009) → nobody

yuanshuo (yush2009) on 2019-11-29

Changed in neutron:
status:	Incomplete → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-29: Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/696753

Changed in neutron:
assignee:	nobody → yuanshuo (yush2009)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-29: Change abandoned on neutron-fwaas (master)

Change abandoned by yuanshuo (yush.2009@163.com) on branch: master
Review: https://review.opendev.org/696753

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-30: Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/696766

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-16: Change abandoned on neutron-fwaas (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/696766
Reason: As we are going to deprecate master branch in this project this patch is not needed anymore.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.