neutron

[RFE] Firewall Group Ordering on Port Association

Bug #1979816 reported by Anthony
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

As detailed in https://bugs.launchpad.net/neutron/+bug/1978497

According to the fwaas-api-2.0 specification here: https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html

> packets will be allowed if any one of the firewall groups
> associated with that Neutron port allows the packet

This is not actually the case. If I am explicitly blocking a packet in group 1, but it would be passed by a broader statement in group 2, and the order of those groups flips, I am now passing that packet.

Therefore, firewall groups must be ordered on port associations such that the groups are evaluated in a consistent, predictable manner.

Tags: fwaas rfe
Anthony (atimmins)
summary: - RFE: Firewall Group Ordering on Port Association
+ [RFE] Firewall Group Ordering on Port Association
Revision history for this message
Lajos Katona (lajos-katona) wrote :

We discussed this RFE on the last Drivers meeting:
https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-07-08-14.00.log.html#l-54

The agreement was to have a spec where the current implementation's differences from the original spec (https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html ) are listed and the details for the fix can be discussed.

tags: added: rfe
Revision history for this message
Anthony (atimmins) wrote :

I think the "Firewall Strata" solution documented in https://etherpad.opendev.org/p/fwaas-api-evolution-spec#L244 would resolve this bug. It's essentially the "firewall group position" on a port that I recommended during the last Drivers meeting.

Revision history for this message
Anthony (atimmins) wrote :

Spec created and submitted for review at https://review.opendev.org/c/openstack/neutron-specs/+/851607

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.