neutron

[FWaaS ]Openstack Zed - firewall group status doesn't change to ACTIVE.

Bug #2009705 reported by Joao
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Unassigned

Bug Description

Firewall group status doesn't change to ACTIVE,. The same behavior with default firewall group.

$ openstack firewall group show 3e25ff35-65fc-4438-8684-806904186b8e
+-------------------+------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------+
| Description | |
| Egress Policy ID | c17c818a-d6aa-4100-89f5-76e2d6cbb790 |
| ID | 3e25ff35-65fc-4438-8684-806904186b8e |
| Ingress Policy ID | 17d9d11c-ad69-4773-b853-db686da86994 |
| Name | |
| Ports | ['f890e2c4-019e-494d-bd77-04fcdd683b4c'] |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| State | UP |
| Status | INACTIVE |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+-------------------+------------------------------------------+

$ openstack firewall group policy show c17c818a-d6aa-4100-89f5-76e2d6cbb790
+----------------+------------------------------------------+
| Field | Value |
+----------------+------------------------------------------+
| Audited | False |
| Description | |
| Firewall Rules | ['0cffb2ac-ab27-4b05-a853-b7f3f9472b3e'] |
| ID | c17c818a-d6aa-4100-89f5-76e2d6cbb790 |
| Name | block80 |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+----------------+------------------------------------------+

$ openstack firewall group policy show 17d9d11c-ad69-4773-b853-db686da86994
+----------------+------------------------------------------+
| Field | Value |
+----------------+------------------------------------------+
| Audited | False |
| Description | |
| Firewall Rules | ['c9c0c1b6-2400-41e2-9c29-b3c1212f2470'] |
| ID | 17d9d11c-ad69-4773-b853-db686da86994 |
| Name | allowAll |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+----------------+------------------------------------------+

$ openstack firewall group rule show 0cffb2ac-ab27-4b05-a853-b7f3f9472b3e
+------------------------+------------------------------------------+
| Field | Value |
+------------------------+------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 192.168.2.0/24 |
| Destination Port | 80 |
| Enabled | True |
| ID | 0cffb2ac-ab27-4b05-a853-b7f3f9472b3e |
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['c17c818a-d6aa-4100-89f5-76e2d6cbb790'] |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+------------------------+------------------------------------------+

$ openstack firewall group rule show c9c0c1b6-2400-41e2-9c29-b3c1212f2470
+------------------------+------------------------------------------+
| Field | Value |
+------------------------+------------------------------------------+
| Action | allow |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | c9c0c1b6-2400-41e2-9c29-b3c1212f2470 |
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Protocol | any |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['17d9d11c-ad69-4773-b853-db686da86994'] |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+------------------------+------------------------------------------+

$ openstack port show f890e2c4-019e-494d-bd77-04fcdd683b4c --max-width 90
+-------------------------+--------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | pr1-cmpi-05 |
| binding_profile | |
| binding_vif_details | bound_drivers.0='openvswitch', bridge_name='br-int', |
| | connectivity='l2', datapath_type='system', |
| | ovs_hybrid_plug='True', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2023-03-08T08:25:37Z |
| data_plane_status | None |
| description | |
| device_id | 3d623cee-b6ae-4b6f-ade8-320126bf9de2 |
| device_owner | network:ha_router_replicated_interface |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.2.1', |
| | subnet_id='0ba0f7f0-f1d1-4ac1-8d01-6d38f1a92444' |
| id | f890e2c4-019e-494d-bd77-04fcdd683b4c |
| ip_allocation | None |
| mac_address | fa:16:3e:5b:06:a8 |
| name | |
| network_id | 3fc6a7af-a12e-4cd0-977e-6a413d7078ae |
| numa_affinity_policy | None |
| port_security_enabled | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
| propagate_uplink_status | None |
| qos_network_policy_id | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 10 |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2023-03-08T11:56:03Z |
+-------------------------+--------------------------------------------------------------+

Environment detail:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal

$ pip3 list | egrep 'neutron|fwaas'
neutron 21.0.1.dev106
neutron-fwaas 17.0.0
neutron-lib 3.1.0
neutron-vpnaas 21.0.0
python-neutronclient 8.1.0

$ cat /etc/neutron/neutron.conf | egrep 'firewall|fwaas'
...
service_plugins = router, firewall_v2
...
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
...

$ cat /etc/neutron/fwaas_driver.ini
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = true

$ cat /etc/neutron/plugins/ml2/ml2_conf.ini
[agent]
extensions = fwaas_v2
[fwaas]
firewall_l2_driver = noop
[ml2]
extension_drivers = port_security
mechanism_drivers = openvswitch,l2population
tenant_network_types = vxlan
type_drivers = flat,vlan,vxlan
[ml2_type_flat]
flat_networks = *
[ml2_type_vlan]
network_vlan_ranges = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
vxlan_group = 239.1.1.1

$ cat /etc/neutron/l3_agent.ini
[AGENT]
extensions = fwaas_v2
[DEFAULT]
agent_mode = legacy
interface_driver = openvswitch
ovs_use_veth = true

$ cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[agent]
arp_responder = true
l2_population = true
tunnel_types = vxlan
[ovs]
bridge_mappings = provider:br-ex
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

References links:

https://docs.openstack.org/neutron/zed/admin/fwaas-v2-scenario.html
https://docs.openstack.org/releasenotes/neutron-fwaas/zed.html
https://specs.openstack.org/openstack/neutron-specs/specs/zed/fwaas-group-ordering.html
https://superuser.openstack.org/articles/openstack-firewall-as-a-service-fwaas-the-basics-and-a-quick-tutorial

https://bugs.launchpad.net/cloud-archive/+bug/1832450
https://bugs.launchpad.net/neutron/+bug/1836015
https://bugs.launchpad.net/ubuntu/+source/neutron-fwaas/+bug/1839477

Joao (jacpjr)
summary: - Openstack Zed - firewall group status doesn't change to ACTIVE.
+ [FWaaS ]Openstack Zed - firewall group status doesn't change to ACTIVE.
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Hi Joao,
Thx for reporting this issue. Do You maybe have any errors in Your neutron-server and/or neutron-l3 agent logs related to that fwaas thing?

Revision history for this message
Joao (jacpjr) wrote :

Hi Slawek,

I haven't any erro in neutron-server and neutron-l3, only info message on neutron-l3 like this one:

2023-03-08 05:58:26.847 34 INFO neutron.agent.agent_extensions_manager [None req-59bd6ae2-6485-465a-a3bd-ae3fa60618ef - - - - - -] Loaded agent extensions: ['fwaas_v2']
2023-03-08 05:58:26.848 34 INFO neutron.agent.agent_extensions_manager [None req-59bd6ae2-6485-465a-a3bd-ae3fa60618ef - - - - - -] Initializing agent extension 'fwaas_v2'

Revision history for this message
ZhouHeng (zhouhenglc) wrote :

hi joao,
Do you have a fixed operating steps to repeat this issue?

Revision history for this message
Joao (jacpjr) wrote :

Hi ZhouHeng,

Steps to reproduce:

- An openstack cluster using Openstack Zed Ubuntu images;
- Install FWaaS on neutron server with pip https://pypi.org/project/neutron-fwaas/;
- Enable FWaaS according this document https://docs.openstack.org/neutron/zed/admin/fwaas-v2-scenario.html;
- Try to create rule/policy/group by CLI. I tryed different ways ... I'll attach two files to use as an example of how I tried;

Revision history for this message
Joao (jacpjr) wrote :

Second file.

Revision history for this message
ZhouHeng (zhouhenglc) wrote :

Hi joao,
I tried your steps and didn't reproduce. Is this only a status issue? Is the actual firewall rule effective?

Revision history for this message
Joao (jacpjr) wrote :

Hello, ZhouHeng!

Is not only status issue. The rule is not effective. I should to view the rules on Iptables inside of router namespace, right? If yes, I can't see.

Revision history for this message
Joao (jacpjr) wrote :

Hello,

I found this as well:

neutron-server-7b84b4d478-888vx neutron-server 2023-03-22 09:16:13.009 10 DEBUG neutron_fwaas.services.firewall.service_drivers.agents.agents [None req-d0d7fae0-e5b5-40f6-bcb5-9de30ac2e329 4c4fa095aa9845a39cf75d4b9edf75e2 4ee2a61ce20f41c1b077d60de936cca8 - - - -] firewall 9a59c6cc-bb18-4560-956f-9532f8f033ba status set: INACTIVE set_firewall_group_status /var/lib/openstack/lib/python3.8/site-packages/neutron_fwaas/services/firewall/service_drivers/agents/agents.py:57

agents.py

 40 @log_helpers.log_method_call
 41 @db_api.CONTEXT_WRITER
 42 def set_firewall_group_status(self, context, fwg_id, status, **kwargs):
 43 """Agent uses this to set a firewall_group's status."""
 44 # Sanitize status first
 45 if status in (nl_constants.ACTIVE, nl_constants.DOWN,
 46 nl_constants.INACTIVE):
 47 to_update = status
 48 else:
 49 to_update = nl_constants.ERROR
 50 # ignore changing status if firewall_group expects to be deleted
 51 # That case means that while some pending operation has been
 52 # performed on the backend, neutron server received delete request
 53 # and changed firewall status to PENDING_DELETE
 54 updated = self.firewall_db.update_firewall_group_status(
 55 context, fwg_id, to_update, not_in=(nl_constants.PENDING_DELETE,))
 56 if updated:
 57 LOG.debug("firewall %s status set: %s", fwg_id, to_update)
 58 return updated and to_update != nl_constants.ERROR

Revision history for this message
ZhouHeng (zhouhenglc) wrote :

hi Joao, Are there any logs in the l3 agent about "set status"?

Revision history for this message
Joao (jacpjr) wrote :
Download full text (3.5 KiB)

Hi,

Solution:

add the fallowing lines in l3_agent.ini

[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = true

Found an error message that helps with diagnosis:

2023-03-24 10:19:31.472 34 ERROR oslo_messaging.rpc.server [None req-c917b0a9-40b9-475d-b0ed-a82c35c81739 e7cefef0e39d4fc09f323cb91478060e ae3c4f4dd2dc439fa04e653d6741123a - - - -] Exception during message handling: AttributeError: 'L3WithFWaaS' object has no attribute 'fwaas_driver'
2023-03-24 10:19:31.472 34 ERROR oslo_messaging.rpc.server File "/var/lib/openstack/lib/python3.8/site-packages/neutron_fwaas/services/firewall/service_drivers/agents/l3reference/firewall_l3_agent_v2.py", line 445, in update_firewall_group
2023-03-24 10:19:31.472 34 ERROR oslo_messaging.rpc.server self.fwaas_driver.delete_firewall_group(self.conf.agent_mode,
2023-03-24 10:19:31.472 34 ERROR oslo_messaging.rpc.server AttributeError: 'L3WithFWaaS' object has no attribute 'fwaas_driver'

cat /var/lib/openstack/lib/python3.8/site-packages/neutron_fwaas/services/firewall/service_drivers/agents/l3reference/firewall_l3_agent_v2.py
...
403 @log_helpers.log_method_call
404 def update_firewall_group(self, context, firewall_group, host):
405 """Handles RPC from plugin to update a firewall group.
406 """
407
408 # Initialize firewall group status.
409 status = ""
410
411 # Get the list of in-namespace ports from which to delete the firewall
412 # group.
413 del_fwg_ports = self._get_firewall_group_ports(
414 context, firewall_group, to_delete=True, require_new_plugin=True)
415 add_fwg_ports = self._get_firewall_group_ports(context, firewall_group)
416
417 port_ids = (firewall_group.get('del-port-ids') +
418 firewall_group.get('add-port-ids'))
419
420 if port_ids and not (del_fwg_ports or add_fwg_ports):
421 LOG.debug("All ports are not router port."
422 "No need to update firewall driver.")
423 return
424
425 # Remove firewall group from ports if requested.
426 if del_fwg_ports:
427 fw_ports = [p for ri_port in del_fwg_ports for p in ri_port[1]]
428 LOG.debug("Update (delete) firewall group %(fwg_id)s on ports: "
429 "%(ports)s",
430 {'fwg_id': firewall_group['id'],
431 'ports': ', '.join(fw_ports)})
432
433 # Set firewall group's status; will be overwritten if call to
434 # driver fails.
435
436 if firewall_group['admin_state_up']:
437 status = nl_constants.ACTIVE
438 if firewall_group['last-port']:
439 status = nl_constants.INACTIVE
440 else:
441 status = nl_constants.DOWN
442
443 # Call the driver.
444 try:
445 self.fwaas_driver.delete_firewall_group(self.conf.agent_mode,
446 del_fwg_ports,
447 ...

Read more...

ZhouHeng (zhouhenglc)
Changed in neutron:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.