yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1711391] Re: fwaas: rule isn't applied right after being added to policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1711391@xxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Aug 2017 16:48:37 -0000
Reply-to: Bug 1711391 <1711391@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/494742
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=a9b2af91a75577a81c899fe540b90148a227d6ac
Submitter: Jenkins
Branch:    master

commit a9b2af91a75577a81c899fe540b90148a227d6ac
Author: Inessa Vasilevskaya <ivasilevskaya@xxxxxxxxxxxx>
Date:   Thu Aug 17 20:35:11 2017 +0000

    Update policy on rule addition/removal
    
    The problem was addressed by calling rpc_update_firewall_policy
    after insert/remove firewall rule.
    
    Added unit tests.
    
    Also added a covering scenario test, implemented
    insert_firewall_rule_in_policy/ remove_firewall_rule_from_policy
    in tempest tester and performed minor cleanup of related code
    (unused parameter removal, commented code). Enforced validation
    of firewall_rule_id for rule insert/remove.
    
    Co-Authored-By: Elena Ezhova <eezhova@xxxxxxxxxxxx>
    Change-Id: I58eda38f70e5ed5b8867fbef05b7c9ccd7155f47
    Closes-Bug: #1711391


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1711391

Title:
  fwaas: rule isn't applied right after being added to policy

Status in neutron:
  Fix Released

Bug description:
  Seen on: pike and master devstack, fwaas_v2

  *Scenario:*

  1. Create allow_icmp rule, a policy, a fw group, security group with all allowed.
  2. 1 router, 2 subnets, fw group assigned to router ports.
  3. Check that it is possible to ping VMs by floating IP or from qrouter namespace
  3. Remove an allow_icmp rule and add a deny_icmp rule to policy

  *Expected result:*

  Policy is updated and ICMP traffic is blocked

  *Actual result:*
  It is still possible to ping VMs by floating IP or from qrouter namespace. Policy update doesn't trigger and iptables rules in the qrouter namespace don't get updated.

  Update actually gets triggered only after any rule that is already in
  the policy gets updated.

  Example scenario: http://paste.openstack.org/show/618823/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1711391/+subscriptions

References

[Bug 1711391] [NEW] fwaas: rule isn't applied right after being added to policy
From: Inessa Vasilevskaya, 2017-08-17