← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #66791

[Bug 1712075] [NEW] [FWaaS v2] L3 agent restart breaks firewall iptables configuration for router ports

  Thread PreviousDate PreviousThread Next 
Public bug reported:

*Seen on:* Pike and master devstack with FWaaS v2

*Scenario:*
1. Create deny_icmp rule, a policy, a fw group, security group with all allowed.
2. Create 1 router, 2 subnets, fw group assigned to router ports.
3. Boot a VM in each subnet
4. Check that iptables rules are applied and it is impossible to ping VMs by floating IP or from qrouter namespace
5. Restart L3 agent

*Expected result:*
After the restart iptables rules are reapplied in the same way and the traffic is still blocked.

*Actual result:*
In case when a firewall group contains several ports iptables rules get re-written for each port and in the result only the chains for the last port in a loop remain.

Example scenario: http://paste.openstack.org/show/618908/

** Affects: neutron
     Importance: Undecided
     Assignee: Elena Ezhova (eezhova)
         Status: In Progress


** Tags: fwaas

** Changed in: neutron
     Assignee: (unassigned) => Elena Ezhova (eezhova)

** Tags added: fwaas

** Changed in: neutron
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1712075

Title:
  [FWaaS v2] L3 agent restart breaks firewall iptables configuration for
  router ports

Status in neutron:
  In Progress

Bug description:
  *Seen on:* Pike and master devstack with FWaaS v2

  *Scenario:*
  1. Create deny_icmp rule, a policy, a fw group, security group with all allowed.
  2. Create 1 router, 2 subnets, fw group assigned to router ports.
  3. Boot a VM in each subnet
  4. Check that iptables rules are applied and it is impossible to ping VMs by floating IP or from qrouter namespace
  5. Restart L3 agent

  *Expected result:*
  After the restart iptables rules are reapplied in the same way and the traffic is still blocked.

  *Actual result:*
  In case when a firewall group contains several ports iptables rules get re-written for each port and in the result only the chains for the last port in a loop remain.

  Example scenario: http://paste.openstack.org/show/618908/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1712075/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next