← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1671338] [NEW] Wrong ordered fw_rules when set them into fw_policy

 

Public bug reported:

There are 3 sample fw_rules in server. And I expect the order is tcp - ping - denyany
openstack firewall group rule list
+--------------------------------------+---------+---------+------------------------------------------------+
| ID                                   | Name    | Enabled | Summary                                        |
+--------------------------------------+---------+---------+------------------------------------------------+
| 563841d1-1ae7-4c74-9231-fab88d44a76c | denyany | True    | ANY,                                           |
|                                      |         |         |  source(port): none specified(none specified), |
|                                      |         |         |  dest(port): none specified(none specified),   |
|                                      |         |         |  deny                                          |
| ab93b257-9449-4545-b46b-8ec011df14e7 | ping    | True    | ICMP,                                          |
|                                      |         |         |  source(port): 1.1.1.1(none specified),        |
|                                      |         |         |  dest(port): none specified(none specified),   |
|                                      |         |         |  reject                                        |
| d53d4015-50e4-4fb2-ab0d-1f7231065012 | tcp     | True    | TCP,                                           |
|                                      |         |         |  source(port): 2.2.2.2(2222),                  |
|                                      |         |         |  dest(port): none specified(none specified),   |
|                                      |         |         |  deny                                          |
+--------------------------------------+---------+---------+------------------------------------------------+
Then I set them into fw_policy as my expect order.
openstack firewall group policy set test --firewall-rule tcp
openstack firewall group policy set test --firewall-rule ping
openstack firewall group policy set test --firewall-rule denyany

But I saw the order had changed and the backend driver will apply the rules in the wrong order.
openstack firewall group policy list
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
| ID                                   | Name | Firewall Rules                                                                                                              |
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
| 1b93f923-daff-40cc-8145-a3267769f26d | test | [u'563841d1-1ae7-4c74-9231-fab88d44a76c', u'ab93b257-9449-4545-b46b-8ec011df14e7', u'd53d4015-50e4-4fb2-ab0d-1f7231065012'] |
+--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+


Currently, neutron-fwaas accept the arguments with full list of fw_rules on fw_policy create/update. So this must be a OSC bug.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1671338

Title:
  Wrong ordered fw_rules when set them into fw_policy

Status in neutron:
  New

Bug description:
  There are 3 sample fw_rules in server. And I expect the order is tcp - ping - denyany
  openstack firewall group rule list
  +--------------------------------------+---------+---------+------------------------------------------------+
  | ID                                   | Name    | Enabled | Summary                                        |
  +--------------------------------------+---------+---------+------------------------------------------------+
  | 563841d1-1ae7-4c74-9231-fab88d44a76c | denyany | True    | ANY,                                           |
  |                                      |         |         |  source(port): none specified(none specified), |
  |                                      |         |         |  dest(port): none specified(none specified),   |
  |                                      |         |         |  deny                                          |
  | ab93b257-9449-4545-b46b-8ec011df14e7 | ping    | True    | ICMP,                                          |
  |                                      |         |         |  source(port): 1.1.1.1(none specified),        |
  |                                      |         |         |  dest(port): none specified(none specified),   |
  |                                      |         |         |  reject                                        |
  | d53d4015-50e4-4fb2-ab0d-1f7231065012 | tcp     | True    | TCP,                                           |
  |                                      |         |         |  source(port): 2.2.2.2(2222),                  |
  |                                      |         |         |  dest(port): none specified(none specified),   |
  |                                      |         |         |  deny                                          |
  +--------------------------------------+---------+---------+------------------------------------------------+
  Then I set them into fw_policy as my expect order.
  openstack firewall group policy set test --firewall-rule tcp
  openstack firewall group policy set test --firewall-rule ping
  openstack firewall group policy set test --firewall-rule denyany

  But I saw the order had changed and the backend driver will apply the rules in the wrong order.
  openstack firewall group policy list
  +--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
  | ID                                   | Name | Firewall Rules                                                                                                              |
  +--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+
  | 1b93f923-daff-40cc-8145-a3267769f26d | test | [u'563841d1-1ae7-4c74-9231-fab88d44a76c', u'ab93b257-9449-4545-b46b-8ec011df14e7', u'd53d4015-50e4-4fb2-ab0d-1f7231065012'] |
  +--------------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------+

  
  Currently, neutron-fwaas accept the arguments with full list of fw_rules on fw_policy create/update. So this must be a OSC bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1671338/+subscriptions


Follow ups