[FWaaS ]Openstack Zed - firewall group status doesn't change to ACTIVE.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Firewall group status doesn't change to ACTIVE,. The same behavior with default firewall group.
$ openstack firewall group show 3e25ff35-
+------
| Field | Value |
+------
| Description | |
| Egress Policy ID | c17c818a-
| ID | 3e25ff35-
| Ingress Policy ID | 17d9d11c-
| Name | |
| Ports | ['f890e2c4-
| Project | 1b0ab3547b42494
| Shared | False |
| State | UP |
| Status | INACTIVE |
| project_id | 1b0ab3547b42494
+------
$ openstack firewall group policy show c17c818a-
+------
| Field | Value |
+------
| Audited | False |
| Description | |
| Firewall Rules | ['0cffb2ac-
| ID | c17c818a-
| Name | block80 |
| Project | 1b0ab3547b42494
| Shared | False |
| project_id | 1b0ab3547b42494
+------
$ openstack firewall group policy show 17d9d11c-
+------
| Field | Value |
+------
| Audited | False |
| Description | |
| Firewall Rules | ['c9c0c1b6-
| ID | 17d9d11c-
| Name | allowAll |
| Project | 1b0ab3547b42494
| Shared | False |
| project_id | 1b0ab3547b42494
+------
$ openstack firewall group rule show 0cffb2ac-
+------
| Field | Value |
+------
| Action | deny |
| Description | |
| Destination IP Address | 192.168.2.0/24 |
| Destination Port | 80 |
| Enabled | True |
| ID | 0cffb2ac-
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['c17c818a-
| project_id | 1b0ab3547b42494
+------
$ openstack firewall group rule show c9c0c1b6-
+------
| Field | Value |
+------
| Action | allow |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | c9c0c1b6-
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494
| Protocol | any |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['17d9d11c-
| project_id | 1b0ab3547b42494
+------
$ openstack port show f890e2c4-
+------
| Field | Value |
+------
| admin_state_up | UP |
| allowed_
| binding_host_id | pr1-cmpi-05 |
| binding_profile | |
| binding_vif_details | bound_drivers.
| | connectivity='l2', datapath_
| | ovs_hybrid_
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2023-03-
| data_plane_status | None |
| description | |
| device_id | 3d623cee-
| device_owner | network:
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address=
| | subnet_
| id | f890e2c4-
| ip_allocation | None |
| mac_address | fa:16:3e:5b:06:a8 |
| name | |
| network_id | 3fc6a7af-
| numa_affinity_
| port_security_
| project_id | 1b0ab3547b42494
| propagate_
| qos_network_
| qos_policy_id | None |
| resource_request | None |
| revision_number | 10 |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2023-03-
+------
Environment detail:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
$ pip3 list | egrep 'neutron|fwaas'
neutron 21.0.1.dev106
neutron-fwaas 17.0.0
neutron-lib 3.1.0
neutron-vpnaas 21.0.0
python-
$ cat /etc/neutron/
...
service_plugins = router, firewall_v2
...
[service_providers]
service_provider = FIREWALL_
...
$ cat /etc/neutron/
[fwaas]
agent_version = v2
driver = neutron_
enabled = true
$ cat /etc/neutron/
[agent]
extensions = fwaas_v2
[fwaas]
firewall_l2_driver = noop
[ml2]
extension_drivers = port_security
mechanism_drivers = openvswitch,
tenant_
type_drivers = flat,vlan,vxlan
[ml2_type_flat]
flat_networks = *
[ml2_type_vlan]
network_vlan_ranges = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
vxlan_group = 239.1.1.1
$ cat /etc/neutron/
[AGENT]
extensions = fwaas_v2
[DEFAULT]
agent_mode = legacy
interface_driver = openvswitch
ovs_use_veth = true
$ cat /etc/neutron/
[agent]
arp_responder = true
l2_population = true
tunnel_types = vxlan
[ovs]
bridge_mappings = provider:br-ex
[securitygroup]
firewall_driver = neutron.
References links:
https:/
https:/
https:/
https:/
https:/
https:/
https:/
summary: |
- Openstack Zed - firewall group status doesn't change to ACTIVE. + [FWaaS ]Openstack Zed - firewall group status doesn't change to ACTIVE. |
Changed in neutron: | |
status: | New → Invalid |
Hi Joao,
Thx for reporting this issue. Do You maybe have any errors in Your neutron-server and/or neutron-l3 agent logs related to that fwaas thing?