yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #67370
[Bug 1716401] [NEW] FWaaS: Ip tables rules do not get updated in case of distributed virtual routers (DVR)
Public bug reported:
I have set up an HA/DVR deployment of OpenStack Pike on Ubuntu 16.04 and
enabled FWaaS v1. After applying the Fix from Bug #1715395, firewall
rules get created in case of HA/DVR, but updates do not have any effect,
e.g. when you disassociate a firewall from a distributed router.
Use Case:
1. Set up an HA/DVP deployment of OpenStack Pike.
2. Create a firewall rule.
$ neutron firewall-rule-create --name test-rule --protocol icmp --action reject
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | reject |
| description | |
| destination_ip_address | |
| destination_port | |
| enabled | True |
| firewall_policy_id | |
| id | 6c2516cb-b69d-46b6-958e-e47c1cf1709e |
| ip_version | 4 |
| name | test-rule |
| position | |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+------------------------+--------------------------------------+
3. Create a firewall policy.
$ neutron firewall-policy-create --firewall-rules test-rule test-policy
Created a new firewall_policy:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| audited | False |
| description | |
| firewall_rules | 6c2516cb-b69d-46b6-958e-e47c1cf1709e |
| id | 53a8d733-e81c-4113-9354-d40b5b426e00 |
| name | test-policy |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| shared | False |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+----------------+--------------------------------------+
4. Create a firewall.
$ neutron firewall-create --name test-firewall test-policy
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 53a8d733-e81c-4113-9354-d40b5b426e00 |
| id | a468caca-c555-4f89-adbc-bcdbb06a3fca |
| name | test-firewall |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| router_ids | |
| status | INACTIVE |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+--------------------+--------------------------------------+
5. Assign the firewall to a distributed router.
$ neutron firewall-update --router demo-router test-firewall
Updated firewall: test-firewall
6. Spawn a virtual machine and assign a floating ip.
7. Check namespaces on the compute node hosting the virtual machine.
$ ip netns
fip-4a3959c3-b011-4bd0-8f4f-f405be92d9ac
qrouter-09a379b5-907f-4e3e-b29a-8701b82f2641
8. Check ip tables rules in the router's namespace.
$ ip netns exec qrouter-09a379b5-907f-4e3e-b29a-8701b82f2641 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 40 packets, 2400 bytes)
pkts bytes target prot opt in out source destination
185 11100 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
185 11100 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
185 11100 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
185 11100 neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-iv465d8c835 all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
39 2340 neutron-l3-agent-ov465d8c835 all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xffff
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
39 2340 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * rfp-09a379b5-9 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
0 0 DROP all -- * qr-2cd58562-ad 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
9. Disassociate the firewall from the router.
$ neutron firewall-update --no-routers test-firewall
Updated firewall: test-firewall
10. Recheck ip tables rules within router's namespace.
$ ip netns exec qrouter-09a379b5-907f-4e3e-b29a-8701b82f2641 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 127 packets, 7668 bytes)
pkts bytes target prot opt in out source destination
698 41976 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
698 41976 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
698 41976 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
698 41976 neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
99 5988 neutron-l3-agent-iv465d8c835 all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
366 21960 neutron-l3-agent-ov465d8c835 all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
99 5988 neutron-l3-agent-fwaas-defau all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xffff
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
99 5988 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
366 21960 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * rfp-09a379b5-9 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
0 0 DROP all -- * qr-2cd58562-ad 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
11. The iptables rules "0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable" is still active, although the firewall has been successfully disassociated from the distributed router.
$ neutron firewall-show test-firewall
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 53a8d733-e81c-4113-9354-d40b5b426e00 |
| id | a468caca-c555-4f89-adbc-bcdbb06a3fca |
| name | test-firewall |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| router_ids | |
| status | INACTIVE |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+--------------------+--------------------------------------+
12. The "neutron-l3-agent.log" on the compute node does not contain any entries regarding FWaaS. Any updates of a firewall or of its policies and rules do not have any effect when using distributed virtual routers (DVR).
May someone please have a look?
** Affects: neutron
Importance: Undecided
Status: New
** Tags: fwaas l3-dvr-backlog l3-ha
** Summary changed:
- FWaaS: Ip tables rules do not get updated in case of distributed routers (DVR)
+ FWaaS: Ip tables rules do not get updated in case of distributed virtual routers (DVR)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1716401
Title:
FWaaS: Ip tables rules do not get updated in case of distributed
virtual routers (DVR)
Status in neutron:
New
Bug description:
I have set up an HA/DVR deployment of OpenStack Pike on Ubuntu 16.04
and enabled FWaaS v1. After applying the Fix from Bug #1715395,
firewall rules get created in case of HA/DVR, but updates do not have
any effect, e.g. when you disassociate a firewall from a distributed
router.
Use Case:
1. Set up an HA/DVP deployment of OpenStack Pike.
2. Create a firewall rule.
$ neutron firewall-rule-create --name test-rule --protocol icmp --action reject
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | reject |
| description | |
| destination_ip_address | |
| destination_port | |
| enabled | True |
| firewall_policy_id | |
| id | 6c2516cb-b69d-46b6-958e-e47c1cf1709e |
| ip_version | 4 |
| name | test-rule |
| position | |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+------------------------+--------------------------------------+
3. Create a firewall policy.
$ neutron firewall-policy-create --firewall-rules test-rule test-policy
Created a new firewall_policy:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| audited | False |
| description | |
| firewall_rules | 6c2516cb-b69d-46b6-958e-e47c1cf1709e |
| id | 53a8d733-e81c-4113-9354-d40b5b426e00 |
| name | test-policy |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| shared | False |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+----------------+--------------------------------------+
4. Create a firewall.
$ neutron firewall-create --name test-firewall test-policy
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 53a8d733-e81c-4113-9354-d40b5b426e00 |
| id | a468caca-c555-4f89-adbc-bcdbb06a3fca |
| name | test-firewall |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| router_ids | |
| status | INACTIVE |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+--------------------+--------------------------------------+
5. Assign the firewall to a distributed router.
$ neutron firewall-update --router demo-router test-firewall
Updated firewall: test-firewall
6. Spawn a virtual machine and assign a floating ip.
7. Check namespaces on the compute node hosting the virtual machine.
$ ip netns
fip-4a3959c3-b011-4bd0-8f4f-f405be92d9ac
qrouter-09a379b5-907f-4e3e-b29a-8701b82f2641
8. Check ip tables rules in the router's namespace.
$ ip netns exec qrouter-09a379b5-907f-4e3e-b29a-8701b82f2641 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 40 packets, 2400 bytes)
pkts bytes target prot opt in out source destination
185 11100 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
185 11100 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
185 11100 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
185 11100 neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-iv465d8c835 all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
39 2340 neutron-l3-agent-ov465d8c835 all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xffff
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
39 2340 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * rfp-09a379b5-9 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
0 0 DROP all -- * qr-2cd58562-ad 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
9. Disassociate the firewall from the router.
$ neutron firewall-update --no-routers test-firewall
Updated firewall: test-firewall
10. Recheck ip tables rules within router's namespace.
$ ip netns exec qrouter-09a379b5-907f-4e3e-b29a-8701b82f2641 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 127 packets, 7668 bytes)
pkts bytes target prot opt in out source destination
698 41976 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
698 41976 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
698 41976 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
698 41976 neutron-l3-agent-scope all -- * * 0.0.0.0/0 0.0.0.0/0
99 5988 neutron-l3-agent-iv465d8c835 all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
366 21960 neutron-l3-agent-ov465d8c835 all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
99 5988 neutron-l3-agent-fwaas-defau all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xffff
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
99 5988 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov465d8c835 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
366 21960 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * rfp-09a379b5-9 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
0 0 DROP all -- * qr-2cd58562-ad 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
11. The iptables rules "0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable" is still active, although the firewall has been successfully disassociated from the distributed router.
$ neutron firewall-show test-firewall
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 53a8d733-e81c-4113-9354-d40b5b426e00 |
| id | a468caca-c555-4f89-adbc-bcdbb06a3fca |
| name | test-firewall |
| project_id | ed2d2efd86dd40e7a45491d8502318d3 |
| router_ids | |
| status | INACTIVE |
| tenant_id | ed2d2efd86dd40e7a45491d8502318d3 |
+--------------------+--------------------------------------+
12. The "neutron-l3-agent.log" on the compute node does not contain any entries regarding FWaaS. Any updates of a firewall or of its policies and rules do not have any effect when using distributed virtual routers (DVR).
May someone please have a look?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1716401/+subscriptions
Follow ups
