neutron

The firewall group's function is failed in the dvr scene.

Bug #1872407 reported by yuanshuo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

Creating a firewall group with policies and 1 interface ports.
[root@test25g04 yuanshuo1]# openstack firewall group show ys-normal-fw1
+-------------------+-------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------+
| Description | |
| Egress Policy ID | 0910e062-f961-45aa-928a-03cdc8725da9 |
| ID | f3b8441a-dcdb-457d-90bc-71571bffa155 |
| Ingress Policy ID | 9873dfd4-f235-463e-a246-67217ecdbdb0 |
| Name | ys-normal-fw1 |
| Ports | [u'ef283f14-ed0b-4dbb-bde4-2e08b66e73fc'] |
| Project | 17bf57ec04994db2b591fda36c368e99 |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| created_at | 2020-04-13T03:10:10Z |
| project_id | 17bf57ec04994db2b591fda36c368e99 |
| revision_number | 7 |
| tags | [] |
| updated_at | 2020-04-13T03:55:04Z |
+-------------------+-------------------------------------------+
[root@test25g04 yuanshuo1]#
[root@test25g04 yuanshuo1]# ip netns exec snat-fd339f1d-2021-4ea0-9781-0f55a1992924 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
6806: ha-ff2aff44-1c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:22:7e:32 brd ff:ff:ff:ff:ff:ff
    inet 169.254.195.185/18 brd 169.254.255.255 scope global ha-ff2aff44-1c
       valid_lft forever preferred_lft forever
    inet 169.254.0.73/24 scope global ha-ff2aff44-1c
       valid_lft forever preferred_lft forever
6811: sg-fa47642f-a8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:1a:06:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.164/24 scope global sg-fa47642f-a8
       valid_lft forever preferred_lft forever
6812: qg-6c7ac163-0b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:d0:1e:70 brd ff:ff:ff:ff:ff:ff
    inet 10.162.150.108/25 scope global qg-6c7ac163-0b
       valid_lft forever preferred_lft forever

The chain of iptables for neutron-l3-agent-FORWARD is:
Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target prot opt in out source destination
   21 1764 neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-iv4f3b8441a all -- * sg-ef283f14-ed 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-ov4f3b8441a all -- sg-ef283f14-ed * 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- * sg-ef283f14-ed 0.0.0.0/0 0.0.0.0/0
    0 0 neutron-l3-agent-fwaas-defau all -- sg-ef283f14-ed * 0.0.0.0/0 0.0.0.0/0

But the interface sg-ef283f14-ed is not exist, so the the firewall group's function is failed in the dvr scene.

Revision history for this message
Ryan Tidwell (ryan-tidwell) wrote :

What version of neutron/fwaas are you running? Do you have any logs from the l3 or ovs agent you could share?

tags: added: fwaas l3-dvr-backlog
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.