FWaaSv2 configures iptables with invalid port name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Invalid
|
Undecided
|
Unassigned | ||
neutron |
New
|
Medium
|
Unassigned |
Bug Description
This might be a duplicate of:
https:/
however, I see the same issue with floating IPs and DVR, not just SNAT. This breaks the FWaaSv2 service, resulting in no filtering.
Deployment uses Kolla Ansible 8.0.1 (Stein) on CentOS, which installs neutron-fwaas from here:
http://
DVR is being used, but the issue appears to exist on both distributed routers and centralized routers on the network nodes (both qrouter and snat namespaces).
I am attaching a small bash script that creates a firewall rule, policy, and group to block TCP port 25 outbound. When this didn't work (outbound SMTP traffic was not blocked), I looked at the iptables rules on the network node and compute nodes.
These are the interfaces in the qrouter namespace of a test router that has the issue with fwaasv2:
2: rfp-3f6273be-
link/ether be:8b:2c:40:dc:e5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.125.2/31 scope global rfp-3f6273be-2
valid_lft forever preferred_lft forever
inet6 fe80::bc8b:
valid_lft forever preferred_lft forever
1118: qr-a418f15b-fa: <BROADCAST,
link/ether fa:16:3e:6f:fe:2c brd ff:ff:ff:ff:ff:ff
inet 192.168.99.254/24 brd 192.168.99.255 scope global qr-a418f15b-fa
valid_lft forever preferred_lft forever
inet6 fe80::f816:
valid_lft forever preferred_lft forever
The is the iptables config (iptables -S), with some notes injected:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-A INPUT -j neutron-
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-
-A neutron-filter-top -j neutron-
-A neutron-
# NOTE: These 4 rules have the wrong interface - note that "a418f15b-f" is
# the name of the qr interface, NOT the rfp interface (see above interface list):
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
# NOTE: These two rules use the correct interface names:
-A neutron-
-A neutron-
This obviously breaks the FWaaSv2 pretty severely (iptables simply ignores the rules with the incorrect interface names).
The same issue occurs in the SNAT namespace...
The SNAT namespace interfaces:
1115: ha-8632c48f-29: <BROADCAST,
link/ether fa:16:3e:ee:dd:91 brd ff:ff:ff:ff:ff:ff
inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-8632c48f-29
valid_lft forever preferred_lft forever
inet6 fe80::f816:
valid_lft forever preferred_lft forever
1143: sg-8f9c085a-be: <BROADCAST,
link/ether fa:16:3e:3a:31:f8 brd ff:ff:ff:ff:ff:ff
1155: qg-8e38e9f5-28: <BROADCAST,
link/ether fa:16:3e:f9:3a:d3 brd ff:ff:ff:ff:ff:ff
The iptables (iptables -S) output - with notes injected:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-N neutron-
-A INPUT -j neutron-
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-
-A neutron-filter-top -j neutron-
-A neutron-
# NOTE: These 4 rules have the wrong interface - note that "a418f15b-fa" is
# the name of the qr interface, NOT the sg interface. It is actually the "rfp"
# interface from the qrouter namespace!
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
# NOTE: This rule has the correct interface name:
-A neutron-
FWaaSv2 is a pretty critical component, and I haven't found a patch that has been made after Stein (maybe I just didn't find it though).
Eric
tags: |
added: l3-dvr-backlog removed: l3-ipam-dhcp |
Attaching the script I mentioned that includes the commands that create the firewall rule, policy, and group.