east and west traffic is not allowed/blocked with neutron fwaas v2

Bug #2073509 reported by Gökhan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

When trying to block network traffic in same subnet, it didn't work.

I will explain details below:
1. firstly create 2 networks,subnets
   you can see network details in there: https://paste.openstack.org/show/bHMEmhQvqQQycaxuaHnW/

2. create a router and connect subnets to this router:
   you can see router details in there: https://paste.openstack.org/show/bEOg6PB17JAYY3U60kiU/

3. Create 3 vms and 2 of them is are in same subnet:
   you can see vm details in there:https://paste.openstack.org/show/bXYQjlZ0mJwX6vYlVzgi/

4. create firewall rules for blocking network traffic from same subnets and different subnets
    You can see firewall rule details in there: https://paste.openstack.org/show/bgvvMLzNkteCbfTdvCqw/

5. create ingress and eggress firewall policies and add rules.
    You can see firewall policy details in there: https://paste.openstack.org/show/bw69J4La6LctGRfULBnM/

6. create firewall group.
    you can see firewall group details in there: https://paste.openstack.org/show/bR3ZGqkmqz5QDo6L8NPa/

Result:
1. friewall rules worked between different subnets. For example in rules icmp traffic is blocked from 192.168.30.83 to 172.16.30.20. it is worked as expected.
2. friewall rules didn't work between same subnets. For example in rules icmp traffic is blocked from 192.168.30.83 to 92.168.30.175. it didn't work. we can ping.

OpenStack Version: 2023.1
Linux Distro: Ubuntu 22.04
Neutron Plugin: ML2+OVS

Gökhan (skylightcoder)
tags: added: neutron-fwaas
summary: - east and west traffic is not allowed/blocked with neutron fwaa v2
+ east and west traffic is not allowed/blocked with neutron fwaas v2
Revision history for this message
Miro Tomaska (mtomaska) wrote :

Hi Gokhan,

I would have to set this up to confirm but the reproduction steps are pretty clear, thank you. I am not fwaas plugin expert, so I would have to first confirm if this is perhaps an expected result? Same linux bridge and hence no L3 needed? Just guessing

Did this work for you in previous releases or is this the first time you are trying to set this up?
Also what is your overall goal? Why do you want to block traffic between VMs on the same subnet?

Revision history for this message
Gökhan (skylightcoder) wrote :

Hi miro, this the first time which I am trying to use neutron fwaas. It seems neutron fwaas also has a l2 driver. In this demo it seems this setup should be worked: https://www.youtube.com/watch?v=9Wkym4BeM4M this is customer request for us.
May be problem is about l2 driver. Because in guide https://docs.openstack.org/neutron/latest/admin/fwaas-v2-scenario.html it says set l2 driver to noop. Son in my setup l2 driver is noop. I will test it with ovs. https://github.com/openstack/neutron-fwaas/blob/master/setup.cfg#L51

Revision history for this message
Gökhan (skylightcoder) wrote :

Hi Miro again,
it didn't work again. when I use vm port(compute:nova) for firewalls, firewall status hangs in pendin create. I will share my configs below:

neutron.conf: https://paste.openstack.org/show/brNnRVdgUO6CtCYek1qw/

openvswitch.ini: https://paste.openstack.org/show/b42wdkBwgrzDHAA7WY89/

ml2.conf.ini: https://paste.openstack.org/show/bVSLmST1YAIzddRPIiSr/

l3_agent.ini: https://paste.openstack.org/show/bh12vPGYW96IgyxxMDJp/

Revision history for this message
Lajos Katona (lajos-katona) wrote :

Hi @Gökhan, I try to build en env where I can check your issue, in the meantime could you please check and add here the relevant logs where the fw status hangs after create?

Revision history for this message
Lajos Katona (lajos-katona) wrote (last edit ):

could you also provide the commands you used for creating the fw rules etc, in the pastes I see only the summary and of the rules ....

Revision history for this message
Lajos Katona (lajos-katona) wrote :

Hi, I tried to reproduce the issue and
* I got the same => I still can ping between instances on the same subnet
* I am not sure if I am really reproduced the issue you described.
* The status of my firewall group is Active (I am not sure when you wrote "firewall status" you meant that firewall group)
There is one rule in your command outputs that is not listed: 363ae333-5ff2-412c-8739-976481ed0d78

Please provide the create command for your reproduction that makes easier to be on the same side.
Note: I used now the noop l2 driver (firewall_l2_driver = noop)

Revision history for this message
Gökhan (skylightcoder) wrote :

Hi Lajos,
Firewall status means firewall group status. I am away and I will share commands and logs you request tommorrow.

Revision history for this message
Gökhan (skylightcoder) wrote :

Hi lajos,
I created a new test enn with same configs.
my commands are : https://paste.openstack.org/show/bgDFnB82l8wTvPu0eFUD/
neutron-server logs: https://paste.openstack.org/show/bsNqzqCOSwT8M9YN8s9X/

firewall group stucks in pending create status.

Revision history for this message
Gökhan (skylightcoder) wrote :

Hi Lajos, is there any progress on this?

Revision history for this message
Lajos Katona (lajos-katona) wrote :

Hi, I am back from PTO, I check your logs

Revision history for this message
ZhouHeng (zhouhenglc) wrote :

Hi Gokhan,Can you provide the complete neutron openvswitch Agent log?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.