yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #24996
[Bug 1398267] [NEW] when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
Public bug reported:
Hi all:
when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
step:
1. Create network and router in A and B tenant.
2. Create a firewall in A tenant.
3. Restart vpn and l3 agent serivce.
4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn
Then I find the firewall rule in chain neutron-l3-agent-FORWARD and
neutron-vpn-agen-FORWARD.
So I debug the code,and add some code in
neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
def _process_router_add(self, ri):
"""On router add, get fw with rules from plugin and update driver."""
LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
routers = []
routers.append(ri.router)
router_info_list = self._get_router_info_list_for_tenant(
routers,
ri.router['tenant_id'])
if router_info_list:
# Get the firewall with rules
# for the tenant the router is on.
ctx = context.Context('', ri.router['tenant_id'])
fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
LOG.debug(_("Process router add, fw_list: '%s'"),
[fw['id'] for fw in fw_list])
for fw in fw_list:
+++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']:
self._invoke_driver_for_sync_from_plugin(
ctx,
router_info_list,
fw)
My neutron version is icehouse.
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
Hi all:
- when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
- step:
- 1. Create network and router in A and B tenant.
- 2. Create a firewall in A tenant.
- 3. Restart vpn and l3 agent serivce.
- 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn
- Then i find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD.
+ when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
+ step:
+ 1. Create network and router in A and B tenant.
+ 2. Create a firewall in A tenant.
+ 3. Restart vpn and l3 agent serivce.
+ 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn Then I find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD.
- so I debug the code,and add some code in neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
-
- def _process_router_add(self, ri):
- """On router add, get fw with rules from plugin and update driver."""
- LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
- routers = []
- routers.append(ri.router)
- router_info_list = self._get_router_info_list_for_tenant(
- routers,
- ri.router['tenant_id'])
- if router_info_list:
- # Get the firewall with rules
- # for the tenant the router is on.
- ctx = context.Context('', ri.router['tenant_id'])
- fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
- LOG.debug(_("Process router add, fw_list: '%s'"),
- [fw['id'] for fw in fw_list])
- for fw in fw_list:
- +++++++if fw['tenant_id'] == ri.router['tenant_id']:
- self._invoke_driver_for_sync_from_plugin(
- ctx,
- router_info_list,
- fw)
+ so I debug the code,and add some code in
+ neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
+
+ def _process_router_add(self, ri):
+ """On router add, get fw with rules from plugin and update driver."""
+ LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
+ routers = []
+ routers.append(ri.router)
+ router_info_list = self._get_router_info_list_for_tenant(
+ routers,
+ ri.router['tenant_id'])
+ if router_info_list:
+ # Get the firewall with rules
+ # for the tenant the router is on.
+ ctx = context.Context('', ri.router['tenant_id'])
+ fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
+ LOG.debug(_("Process router add, fw_list: '%s'"),
+ [fw['id'] for fw in fw_list])
+ for fw in fw_list:
+ +++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']:
+ self._invoke_driver_for_sync_from_plugin(
+ ctx,
+ router_info_list,
+ fw)
+
+ My neutron version is icehouse.
** Description changed:
Hi all:
when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
step:
1. Create network and router in A and B tenant.
2. Create a firewall in A tenant.
3. Restart vpn and l3 agent serivce.
- 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn Then I find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD.
+ 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn
- so I debug the code,and add some code in
+ Then I find the firewall rule in chain neutron-l3-agent-FORWARD and
+ neutron-vpn-agen-FORWARD.
+
+ So I debug the code,and add some code in
neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
def _process_router_add(self, ri):
"""On router add, get fw with rules from plugin and update driver."""
LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
routers = []
routers.append(ri.router)
router_info_list = self._get_router_info_list_for_tenant(
routers,
ri.router['tenant_id'])
if router_info_list:
# Get the firewall with rules
# for the tenant the router is on.
ctx = context.Context('', ri.router['tenant_id'])
fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
LOG.debug(_("Process router add, fw_list: '%s'"),
[fw['id'] for fw in fw_list])
for fw in fw_list:
+++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']:
self._invoke_driver_for_sync_from_plugin(
ctx,
router_info_list,
fw)
My neutron version is icehouse.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1398267
Title:
when restart the vpn and l3 agent, the firewall rule apply to all
tenants' router.
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Hi all:
when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
step:
1. Create network and router in A and B tenant.
2. Create a firewall in A tenant.
3. Restart vpn and l3 agent serivce.
4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn
Then I find the firewall rule in chain neutron-l3-agent-FORWARD and
neutron-vpn-agen-FORWARD.
So I debug the code,and add some code in
neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :
def _process_router_add(self, ri):
"""On router add, get fw with rules from plugin and update driver."""
LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
routers = []
routers.append(ri.router)
router_info_list = self._get_router_info_list_for_tenant(
routers,
ri.router['tenant_id'])
if router_info_list:
# Get the firewall with rules
# for the tenant the router is on.
ctx = context.Context('', ri.router['tenant_id'])
fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
LOG.debug(_("Process router add, fw_list: '%s'"),
[fw['id'] for fw in fw_list])
for fw in fw_list:
+++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']:
self._invoke_driver_for_sync_from_plugin(
ctx,
router_info_list,
fw)
My neutron version is icehouse.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1398267/+subscriptions
Follow ups
References
