← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1492142] [NEW] FWaaS: FIP namespace created after Firewall creation doesn't contains FW rules

 

Public bug reported:

L3 agent is set to "dvr_snat" mode.

Steps to reproduce:
1) Create security group rules
2) Boot nova instance
3) Create floating ip on public network and associate it to the nova instance
4) Create firewall rules
5) Create firewall policy with the above rules
6) Create firewall with the above policy

Expected Result:
Both SNAT and FIP namespaces should contain the FW rules

Observed Result:
Only SNAT namespace contains the FW rules while the FIP namespace doesn't

Impact:
Due to this, the packets transferred over the external network that are destined to this instance could bypass the firewall rules using the floating ip of the instance.

Following are the commands and their output:

demofw@devstack:~/devstack$ neutron router-show router1
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                                                                                                                                                                                                      |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                                                                                                                                                                                                       |
| external_gateway_info | {"network_id": "b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "4743e969-7a36-427e-86e0-908c767c9d12", "ip_address": "172.24.4.2"}, {"subnet_id": "8f59a96f-2a06-4973-bbf9-40ae143ec1df", "ip_address": "2001:db8::3"}]} |
| id                    | fb2f3983-7a9d-4bc7-812c-20f0c182ef1a                                                                                                                                                                                                                                       |
| name                  | router1                                                                                                                                                                                                                                                                    |
| routes                |                                                                                                                                                                                                                                                                            |
| status                | ACTIVE                                                                                                                                                                                                                                                                     |
| tenant_id             | b8e6948ab2394672b2fa603c75d02eda                                                                                                                                                                                                                                           |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


demofw@devstack:~/devstack$ neutron floatingip-create public --port-id 0d283e44-96e9-4f98-9db1-5f464f8163b8
Created a new floatingip:
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| fixed_ip_address    | 10.0.0.4                             |
| floating_ip_address | 172.24.4.5                           |
| floating_network_id | b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5 |
| id                  | 278316a4-3aa4-4414-812c-b909823c5915 |
| port_id             | 0d283e44-96e9-4f98-9db1-5f464f8163b8 |
| router_id           | fb2f3983-7a9d-4bc7-812c-20f0c182ef1a |
| status              | DOWN                                 |
| tenant_id           | b8e6948ab2394672b2fa603c75d02eda     |
+---------------------+--------------------------------------+


demofw@devstack:~/devstack$ nova list
+--------------------------------------+------+--------+------------+-------------+-------------------------------------------------------------------+
| ID                                   | Name | Status | Task State | Power State | Networks                                                          |
+--------------------------------------+------+--------+------------+-------------+-------------------------------------------------------------------+
| 9194e3a1-4d15-4a13-a2bc-32609c1a5f23 | vm1  | ACTIVE | -          | Running     | private=fd54:320b:956:0:f816:3eff:fe85:8d8d, 10.0.0.4, 172.24.4.5 |
+--------------------------------------+------+--------+------------+-------------+-------------------------------------------------------------------+


demofw@devstack:~/devstack$ neutron firewall-rule-list
+--------------------------------------+-----------+--------------------------------------+----------------------+---------+
| id                                   | name      | firewall_policy_id                   | summary              | enabled |
+--------------------------------------+-----------+--------------------------------------+----------------------+---------+
| 4056da20-96f4-4504-91ac-252dd4b86c76 | deny-icmp | 75599732-0995-43d6-a859-6995b31a5115 | ICMP,                | True    |
|                                      |           |                                      |  source: none(none), |         |
|                                      |           |                                      |  dest: none(none),   |         |
|                                      |           |                                      |  deny                |         |
| b1f3b83f-6e34-49d6-92b0-f707e9e8ee1e | deny-http | 75599732-0995-43d6-a859-6995b31a5115 | TCP,                 | True    |
|                                      |           |                                      |  source: none(none), |         |
|                                      |           |                                      |  dest: none(80),     |         |
|                                      |           |                                      |  deny                |         |
| cba48aea-35ee-4c3b-80f0-d3799f13407f | allow-ssh | 75599732-0995-43d6-a859-6995b31a5115 | TCP,                 | True    |
|                                      |           |                                      |  source: none(none), |         |
|                                      |           |                                      |  dest: none(22),     |         |
|                                      |           |                                      |  allow               |         |
+--------------------------------------+-----------+--------------------------------------+----------------------+---------+


demofw@devstack:~/devstack$ neutron firewall-policy-list
+--------------------------------------+-----------+----------------------------------------+
| id                                   | name      | firewall_rules                         |
+--------------------------------------+-----------+----------------------------------------+
| 75599732-0995-43d6-a859-6995b31a5115 | policy-fw | [4056da20-96f4-4504-91ac-252dd4b86c76, |
|                                      |           |  b1f3b83f-6e34-49d6-92b0-f707e9e8ee1e, |
|                                      |           |  cba48aea-35ee-4c3b-80f0-d3799f13407f] |
+--------------------------------------+-----------+----------------------------------------+


demofw@devstack:~/devstack$ neutron firewall-show demo-fw
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 75599732-0995-43d6-a859-6995b31a5115 |
| id                 | 66560c40-9fe1-410b-98ea-9367145d6692 |
| name               | demo-fw                              |
| router_ids         | fb2f3983-7a9d-4bc7-812c-20f0c182ef1a |
| status             | ACTIVE                               |
| tenant_id          | b8e6948ab2394672b2fa603c75d02eda     |
+--------------------+--------------------------------------+


demofw@devstack:~/devstack$ ip netns
fip-b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5
snat-fb2f3983-7a9d-4bc7-812c-20f0c182ef1a
qrouter-fb2f3983-7a9d-4bc7-812c-20f0c182ef1a
qdhcp-855d0284-89d6-4045-8355-367f97d408f3


demofw@devstack:~/devstack$ sudo ip netns exec snat-fb2f3983-7a9d-4bc7-812c-20f0c182ef1a iptables -L -n -v
Chain INPUT (policy ACCEPT 4 packets, 1284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4  1284 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 2 packets, 168 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   168 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    2   168 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   168 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-iv466560c40  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-ov466560c40  all  --  sg-+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  sg-+   *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-fwaas-defau (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-iv466560c40 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-ov466560c40 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22


demofw@devstack:~/devstack$ sudo ip netns exec fip-b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5 iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: fwaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1492142

Title:
  FWaaS: FIP namespace created after Firewall creation doesn't contains
  FW rules

Status in neutron:
  New

Bug description:
  L3 agent is set to "dvr_snat" mode.

  Steps to reproduce:
  1) Create security group rules
  2) Boot nova instance
  3) Create floating ip on public network and associate it to the nova instance
  4) Create firewall rules
  5) Create firewall policy with the above rules
  6) Create firewall with the above policy

  Expected Result:
  Both SNAT and FIP namespaces should contain the FW rules

  Observed Result:
  Only SNAT namespace contains the FW rules while the FIP namespace doesn't

  Impact:
  Due to this, the packets transferred over the external network that are destined to this instance could bypass the firewall rules using the floating ip of the instance.

  Following are the commands and their output:

  demofw@devstack:~/devstack$ neutron router-show router1
  +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | Field                 | Value                                                                                                                                                                                                                                                                      |
  +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | admin_state_up        | True                                                                                                                                                                                                                                                                       |
  | external_gateway_info | {"network_id": "b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "4743e969-7a36-427e-86e0-908c767c9d12", "ip_address": "172.24.4.2"}, {"subnet_id": "8f59a96f-2a06-4973-bbf9-40ae143ec1df", "ip_address": "2001:db8::3"}]} |
  | id                    | fb2f3983-7a9d-4bc7-812c-20f0c182ef1a                                                                                                                                                                                                                                       |
  | name                  | router1                                                                                                                                                                                                                                                                    |
  | routes                |                                                                                                                                                                                                                                                                            |
  | status                | ACTIVE                                                                                                                                                                                                                                                                     |
  | tenant_id             | b8e6948ab2394672b2fa603c75d02eda                                                                                                                                                                                                                                           |
  +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

  
  demofw@devstack:~/devstack$ neutron floatingip-create public --port-id 0d283e44-96e9-4f98-9db1-5f464f8163b8
  Created a new floatingip:
  +---------------------+--------------------------------------+
  | Field               | Value                                |
  +---------------------+--------------------------------------+
  | fixed_ip_address    | 10.0.0.4                             |
  | floating_ip_address | 172.24.4.5                           |
  | floating_network_id | b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5 |
  | id                  | 278316a4-3aa4-4414-812c-b909823c5915 |
  | port_id             | 0d283e44-96e9-4f98-9db1-5f464f8163b8 |
  | router_id           | fb2f3983-7a9d-4bc7-812c-20f0c182ef1a |
  | status              | DOWN                                 |
  | tenant_id           | b8e6948ab2394672b2fa603c75d02eda     |
  +---------------------+--------------------------------------+

  
  demofw@devstack:~/devstack$ nova list
  +--------------------------------------+------+--------+------------+-------------+-------------------------------------------------------------------+
  | ID                                   | Name | Status | Task State | Power State | Networks                                                          |
  +--------------------------------------+------+--------+------------+-------------+-------------------------------------------------------------------+
  | 9194e3a1-4d15-4a13-a2bc-32609c1a5f23 | vm1  | ACTIVE | -          | Running     | private=fd54:320b:956:0:f816:3eff:fe85:8d8d, 10.0.0.4, 172.24.4.5 |
  +--------------------------------------+------+--------+------------+-------------+-------------------------------------------------------------------+

  
  demofw@devstack:~/devstack$ neutron firewall-rule-list
  +--------------------------------------+-----------+--------------------------------------+----------------------+---------+
  | id                                   | name      | firewall_policy_id                   | summary              | enabled |
  +--------------------------------------+-----------+--------------------------------------+----------------------+---------+
  | 4056da20-96f4-4504-91ac-252dd4b86c76 | deny-icmp | 75599732-0995-43d6-a859-6995b31a5115 | ICMP,                | True    |
  |                                      |           |                                      |  source: none(none), |         |
  |                                      |           |                                      |  dest: none(none),   |         |
  |                                      |           |                                      |  deny                |         |
  | b1f3b83f-6e34-49d6-92b0-f707e9e8ee1e | deny-http | 75599732-0995-43d6-a859-6995b31a5115 | TCP,                 | True    |
  |                                      |           |                                      |  source: none(none), |         |
  |                                      |           |                                      |  dest: none(80),     |         |
  |                                      |           |                                      |  deny                |         |
  | cba48aea-35ee-4c3b-80f0-d3799f13407f | allow-ssh | 75599732-0995-43d6-a859-6995b31a5115 | TCP,                 | True    |
  |                                      |           |                                      |  source: none(none), |         |
  |                                      |           |                                      |  dest: none(22),     |         |
  |                                      |           |                                      |  allow               |         |
  +--------------------------------------+-----------+--------------------------------------+----------------------+---------+

  
  demofw@devstack:~/devstack$ neutron firewall-policy-list
  +--------------------------------------+-----------+----------------------------------------+
  | id                                   | name      | firewall_rules                         |
  +--------------------------------------+-----------+----------------------------------------+
  | 75599732-0995-43d6-a859-6995b31a5115 | policy-fw | [4056da20-96f4-4504-91ac-252dd4b86c76, |
  |                                      |           |  b1f3b83f-6e34-49d6-92b0-f707e9e8ee1e, |
  |                                      |           |  cba48aea-35ee-4c3b-80f0-d3799f13407f] |
  +--------------------------------------+-----------+----------------------------------------+

  
  demofw@devstack:~/devstack$ neutron firewall-show demo-fw
  +--------------------+--------------------------------------+
  | Field              | Value                                |
  +--------------------+--------------------------------------+
  | admin_state_up     | True                                 |
  | description        |                                      |
  | firewall_policy_id | 75599732-0995-43d6-a859-6995b31a5115 |
  | id                 | 66560c40-9fe1-410b-98ea-9367145d6692 |
  | name               | demo-fw                              |
  | router_ids         | fb2f3983-7a9d-4bc7-812c-20f0c182ef1a |
  | status             | ACTIVE                               |
  | tenant_id          | b8e6948ab2394672b2fa603c75d02eda     |
  +--------------------+--------------------------------------+

  
  demofw@devstack:~/devstack$ ip netns
  fip-b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5
  snat-fb2f3983-7a9d-4bc7-812c-20f0c182ef1a
  qrouter-fb2f3983-7a9d-4bc7-812c-20f0c182ef1a
  qdhcp-855d0284-89d6-4045-8355-367f97d408f3

  
  demofw@devstack:~/devstack$ sudo ip netns exec snat-fb2f3983-7a9d-4bc7-812c-20f0c182ef1a iptables -L -n -v
  Chain INPUT (policy ACCEPT 4 packets, 1284 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      4  1284 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain FORWARD (policy ACCEPT 2 packets, 168 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      2   168 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      2   168 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain neutron-filter-top (2 references)
   pkts bytes target     prot opt in     out     source               destination         
      2   168 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain neutron-l3-agent-FORWARD (1 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 neutron-l3-agent-iv466560c40  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0           
      0     0 neutron-l3-agent-ov466560c40  all  --  sg-+   *       0.0.0.0/0            0.0.0.0/0           
      0     0 neutron-l3-agent-fwaas-defau  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0           
      0     0 neutron-l3-agent-fwaas-defau  all  --  sg-+   *       0.0.0.0/0            0.0.0.0/0           

  Chain neutron-l3-agent-INPUT (1 references)
   pkts bytes target     prot opt in     out     source               destination         

  Chain neutron-l3-agent-OUTPUT (1 references)
   pkts bytes target     prot opt in     out     source               destination         

  Chain neutron-l3-agent-fwaas-defau (2 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain neutron-l3-agent-iv466560c40 (1 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
      0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
      0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

  Chain neutron-l3-agent-local (1 references)
   pkts bytes target     prot opt in     out     source               destination         

  Chain neutron-l3-agent-ov466560c40 (1 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
      0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
      0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

  
  demofw@devstack:~/devstack$ sudo ip netns exec fip-b162e6a0-ab7b-4a2f-8239-e06f1e13ccb5 iptables -L -n -v
  Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain neutron-filter-top (2 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

  Chain neutron-l3-agent-FORWARD (1 references)
   pkts bytes target     prot opt in     out     source               destination         

  Chain neutron-l3-agent-INPUT (1 references)
   pkts bytes target     prot opt in     out     source               destination         

  Chain neutron-l3-agent-OUTPUT (1 references)
   pkts bytes target     prot opt in     out     source               destination         

  Chain neutron-l3-agent-local (1 references)
   pkts bytes target     prot opt in     out     source               destination

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1492142/+subscriptions


Follow ups