← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #67070

[Bug 1712075] Re: [FWaaS v2] L3 agent restart breaks firewall iptables configuration for router ports

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/495657
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=0fac0d515a0cf5696a37dcde4fb2fdff88a8b537
Submitter: Jenkins
Branch:    master

commit 0fac0d515a0cf5696a37dcde4fb2fdff88a8b537
Author: Elena Ezhova <eezhova@xxxxxxxxxxxx>
Date:   Mon Aug 21 01:08:13 2017 +0400

    Fix router update on L3 agent restart
    
    Currently on L3 agent restart FWaaS L3 agent extension
    _process_router_update iterates over all router ports and
    trigger firewall group update if a port belong to it.
    In case when a firewall group contains several ports iptables rules
    get re-written each time and in the result only the chains for
    the last port in a loop remain.
    
    With this change each firewall group would be updated with a full
    list of a router ports that belong to it. Additionaly, refactor of
    the _process_router_update method reduced its complexity and made
    it more readable.
    If a router would appear to have ports associated with several
    firewall groups a warning would be emitted.
    
    Added a unit test.
    
    Closes-Bug: #1712075
    Change-Id: I251f4f50578cd10da904a56e1622c18f2adf2d18


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1712075

Title:
  [FWaaS v2] L3 agent restart breaks firewall iptables configuration for
  router ports

Status in neutron:
  Fix Released

Bug description:
  *Seen on:* Pike and master devstack with FWaaS v2

  *Scenario:*
  1. Create deny_icmp rule, a policy, a fw group, security group with all allowed.
  2. Create 1 router, 2 subnets, fw group assigned to router ports.
  3. Boot a VM in each subnet
  4. Check that iptables rules are applied and it is impossible to ping VMs by floating IP or from qrouter namespace
  5. Restart L3 agent

  *Expected result:*
  After the restart iptables rules are reapplied in the same way and the traffic is still blocked.

  *Actual result:*
  In case when a firewall group contains several ports iptables rules get re-written for each port and in the result only the chains for the last port in a loop remain.

  Example scenario: http://paste.openstack.org/show/618908/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1712075/+subscriptions

References

  Thread PreviousDate PreviousThread Next