← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1324417] [NEW] fwaas:shared firewall rule is not able to use when it is already attached in other tenant's firewall policy

 

Public bug reported:

DESCRIPTION: 
firewall rule shared by admin is not able to use in tenant's firewall policy  when the rule is already attached in other tenant's or admin's firewall policy   
Steps to Reproduce: 
1. create a firewall rule r1 as share = true from admin tenant
2. create a firewall policy p1 and attach the aboce firewall rule r1 from admin tenant
3. Try to create a firewall policy from other tenant with the above firewall rule r1
Actual Results: 
cli throws error as its being in use and doesn't create firewall policy 
 

root@IGA-OSC:~#  fwrc --protocol icmp --action deny --name a2 --shared
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | deny                                 |
| description            |                                      |
| destination_ip_address |                                      |
| destination_port       |                                      |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 15f3c1a8-f813-4809-ab44-00d12f7ff8ad |
| ip_version             | 4                                    |
| name                   | a2                                   |
| position               |                                      |
| protocol               | icmp                                 |
| shared                 | True                                 |
| source_ip_address      |                                      |
| source_port            |                                      |
| tenant_id              | 0ad385e00e97476e9456945c079a21ea     |
+------------------------+--------------------------------------+
root@IGA-OSC:~#  fwpc ap --firewall-rule a2
Created a new firewall_policy:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| audited        | False                                |
| description    |                                      |
| firewall_rules | 15f3c1a8-f813-4809-ab44-00d12f7ff8ad |
| id             | 800bea29-f165-421e-8e56-a0ec9af2bfc0 |
| name           | ap                                   |
| shared         | False                                |
| tenant_id      | 0ad385e00e97476e9456945c079a21ea     |
+----------------+--------------------------------------+
root@IGA-OSC:~# fwrs a2
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | deny                                 |
| description            |                                      |
| destination_ip_address |                                      |
| destination_port       |                                      |
| enabled                | True                                 |
| firewall_policy_id     | 800bea29-f165-421e-8e56-a0ec9af2bfc0 |
| id                     | 15f3c1a8-f813-4809-ab44-00d12f7ff8ad |
| ip_version             | 4                                    |
| name                   | a2                                   |
| position               | 1                                    |
| protocol               | icmp                                 |
| source_ip_address      |                                      |
| source_port            |                                      |
| tenant_id              | 0ad385e00e97476e9456945c079a21ea     |
+------------------------+--------------------------------------+

>From other tenant
==============

root@IGA-OSC:~# fwpc p3 --firewall-rule a2
409-{u'NeutronError': {u'message': u'Firewall Rule 15f3c1a8-f813-4809-ab44-00d12f7ff8ad is being used.', u'type': u'FirewallRuleInUse', u'detail': u''}}

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: fwaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1324417

Title:
  fwaas:shared firewall rule is not able to use when it is already
  attached in other tenant's firewall policy

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  DESCRIPTION: 
  firewall rule shared by admin is not able to use in tenant's firewall policy  when the rule is already attached in other tenant's or admin's firewall policy   
  Steps to Reproduce: 
  1. create a firewall rule r1 as share = true from admin tenant
  2. create a firewall policy p1 and attach the aboce firewall rule r1 from admin tenant
  3. Try to create a firewall policy from other tenant with the above firewall rule r1
  Actual Results: 
  cli throws error as its being in use and doesn't create firewall policy 
   

  root@IGA-OSC:~#  fwrc --protocol icmp --action deny --name a2 --shared
  Created a new firewall_rule:
  +------------------------+--------------------------------------+
  | Field                  | Value                                |
  +------------------------+--------------------------------------+
  | action                 | deny                                 |
  | description            |                                      |
  | destination_ip_address |                                      |
  | destination_port       |                                      |
  | enabled                | True                                 |
  | firewall_policy_id     |                                      |
  | id                     | 15f3c1a8-f813-4809-ab44-00d12f7ff8ad |
  | ip_version             | 4                                    |
  | name                   | a2                                   |
  | position               |                                      |
  | protocol               | icmp                                 |
  | shared                 | True                                 |
  | source_ip_address      |                                      |
  | source_port            |                                      |
  | tenant_id              | 0ad385e00e97476e9456945c079a21ea     |
  +------------------------+--------------------------------------+
  root@IGA-OSC:~#  fwpc ap --firewall-rule a2
  Created a new firewall_policy:
  +----------------+--------------------------------------+
  | Field          | Value                                |
  +----------------+--------------------------------------+
  | audited        | False                                |
  | description    |                                      |
  | firewall_rules | 15f3c1a8-f813-4809-ab44-00d12f7ff8ad |
  | id             | 800bea29-f165-421e-8e56-a0ec9af2bfc0 |
  | name           | ap                                   |
  | shared         | False                                |
  | tenant_id      | 0ad385e00e97476e9456945c079a21ea     |
  +----------------+--------------------------------------+
  root@IGA-OSC:~# fwrs a2
  +------------------------+--------------------------------------+
  | Field                  | Value                                |
  +------------------------+--------------------------------------+
  | action                 | deny                                 |
  | description            |                                      |
  | destination_ip_address |                                      |
  | destination_port       |                                      |
  | enabled                | True                                 |
  | firewall_policy_id     | 800bea29-f165-421e-8e56-a0ec9af2bfc0 |
  | id                     | 15f3c1a8-f813-4809-ab44-00d12f7ff8ad |
  | ip_version             | 4                                    |
  | name                   | a2                                   |
  | position               | 1                                    |
  | protocol               | icmp                                 |
  | source_ip_address      |                                      |
  | source_port            |                                      |
  | tenant_id              | 0ad385e00e97476e9456945c079a21ea     |
  +------------------------+--------------------------------------+

  From other tenant
  ==============

  root@IGA-OSC:~# fwpc p3 --firewall-rule a2
  409-{u'NeutronError': {u'message': u'Firewall Rule 15f3c1a8-f813-4809-ab44-00d12f7ff8ad is being used.', u'type': u'FirewallRuleInUse', u'detail': u''}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1324417/+subscriptions


Follow ups

References