← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1770575] [NEW] FWG status will be overided by mutilple l2 agent

 

Public bug reported:

Currently, we support VM port/router port to apply fwg. So we deep into
L2 and L3 agent implementation to process the associated port for fwg.

For this bug, I will raise an example:

Server side set fwg status
--------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/fwaas_plugin_v2.py#n79

L3 agent FW extension for "create_firewall_group"
------------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent_v2.py#n387

L2 agent FW extension for "_create_firewarll_group"
------------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l2/fwaas_v2.py#n263

That means there is a case that the fwg status could be overrided.
1. port A, port B, they are in the same subnet, and its gw port is GW
2. Port A is VM A's nic, Port B is VM B's nic.
3. VM A locates on compute Node X, VM B locates on compute Node Y.
4. Create a FWG and its ingress/egress policy/rules with port A, B, GW

So the server side will fanout the rpc to agent side, including l2/l3
agent. Then the agent side will process its local port and set the fwg
status through rpc to server. But existing server code just update the
status if the request status is not PENDING status. It will be in a
wrong way to process the status, if there are 2 rpc to set status from
agent to server, the first one is ERROR, the second one is ACTIVE. The
status is overrided.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: fwaas

** Tags added: fwaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1770575

Title:
  FWG status will be overided by mutilple l2 agent

Status in neutron:
  New

Bug description:
  Currently, we support VM port/router port to apply fwg. So we deep
  into L2 and L3 agent implementation to process the associated port for
  fwg.

  For this bug, I will raise an example:

  Server side set fwg status
  --------------------------------
  http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/fwaas_plugin_v2.py#n79

  L3 agent FW extension for "create_firewall_group"
  ------------------------------------
  http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent_v2.py#n387

  L2 agent FW extension for "_create_firewarll_group"
  ------------------------------------
  http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l2/fwaas_v2.py#n263

  That means there is a case that the fwg status could be overrided.
  1. port A, port B, they are in the same subnet, and its gw port is GW
  2. Port A is VM A's nic, Port B is VM B's nic.
  3. VM A locates on compute Node X, VM B locates on compute Node Y.
  4. Create a FWG and its ingress/egress policy/rules with port A, B, GW

  So the server side will fanout the rpc to agent side, including l2/l3
  agent. Then the agent side will process its local port and set the fwg
  status through rpc to server. But existing server code just update the
  status if the request status is not PENDING status. It will be in a
  wrong way to process the status, if there are 2 rpc to set status from
  agent to server, the first one is ERROR, the second one is ACTIVE. The
  status is overrided.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1770575/+subscriptions