← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1798577] [NEW] [FWaas-DVR]wrong port name in iptables rules

 

Public bug reported:

Bug description:
In DVR model, when we bind a FWG on a gateway port, the port names(sg port and rfp port) in iptables rules are wrong.


Steps:
1.create a firewall group named fw
2.create a router(id:0cbd237f-358a-4c27-8047-c50e1f7201e7),add a subnet's gateway port(id:b013ad9f-b11f-4fd4-b458-490e3da38527) to this router
3.bind FWG fw on gateway port (b013ad9f-b11f-4fd4-b458-490e3da38527)


Here is my environment:
[root@vm ~]# openstack firewall group show fw
+-------------------+-------------------------------------------+
| Field             | Value                                     |
+-------------------+-------------------------------------------+
| Description       |                                           |
| Egress Policy ID  | c907b32c-b2e8-4e7f-a38a-64e5f9f11942      |
| ID                | deb36e9f-0908-43c7-a51d-9a71b97fc756      |
| Ingress Policy ID | 3996f090-8e8d-48c5-a3de-4ba2c88ff935      |
| Name              | fw                                        |
| Ports             | [u'b013ad9f-b11f-4fd4-b458-490e3da38527'] |
| Project           | 9355437b66f64e8999e30978a7b3c33c          |
| Shared            | False                                     |
| State             | UP                                        |
| Status            | ACTIVE                                    |
| project_id        | 9355437b66f64e8999e30978a7b3c33c          |
+-------------------+-------------------------------------------+

[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
2: rfp-0cbd237f-3@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 6e:22:a5:20:18:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.106.114/31 scope global rfp-0cbd237f-3
       valid_lft forever preferred_lft forever
109: qr-b013ad9f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:c5:cf:73 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global qr-b013ad9f-b1
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fec5:cf73/64 scope link 
       valid_lft forever preferred_lft forever

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
110: sg-66024492-92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:85:3b:0a brd ff:ff:ff:ff:ff:ff


Below is the wrong place, please focus on the name of 'sg-'port name and 'rfp-' port name:

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau

[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau


We can see 'sg-' port name and 'rfp-' port name are different from the correct names.
The correct name is below:

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-fwaas-defau

[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau

I have checked the code of l3-agent, the name of 'sg-' port name comes
from the port id of snat_interface, and 'rfp-' port name comes from
router id.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1798577

Title:
  [FWaas-DVR]wrong port name in iptables rules

Status in neutron:
  New

Bug description:
  Bug description:
  In DVR model, when we bind a FWG on a gateway port, the port names(sg port and rfp port) in iptables rules are wrong.

  
  Steps:
  1.create a firewall group named fw
  2.create a router(id:0cbd237f-358a-4c27-8047-c50e1f7201e7),add a subnet's gateway port(id:b013ad9f-b11f-4fd4-b458-490e3da38527) to this router
  3.bind FWG fw on gateway port (b013ad9f-b11f-4fd4-b458-490e3da38527)

  
  Here is my environment:
  [root@vm ~]# openstack firewall group show fw
  +-------------------+-------------------------------------------+
  | Field             | Value                                     |
  +-------------------+-------------------------------------------+
  | Description       |                                           |
  | Egress Policy ID  | c907b32c-b2e8-4e7f-a38a-64e5f9f11942      |
  | ID                | deb36e9f-0908-43c7-a51d-9a71b97fc756      |
  | Ingress Policy ID | 3996f090-8e8d-48c5-a3de-4ba2c88ff935      |
  | Name              | fw                                        |
  | Ports             | [u'b013ad9f-b11f-4fd4-b458-490e3da38527'] |
  | Project           | 9355437b66f64e8999e30978a7b3c33c          |
  | Shared            | False                                     |
  | State             | UP                                        |
  | Status            | ACTIVE                                    |
  | project_id        | 9355437b66f64e8999e30978a7b3c33c          |
  +-------------------+-------------------------------------------+

  [root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
  2: rfp-0cbd237f-3@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
      link/ether 6e:22:a5:20:18:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
      inet 169.254.106.114/31 scope global rfp-0cbd237f-3
         valid_lft forever preferred_lft forever
  109: qr-b013ad9f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
      link/ether fa:16:3e:c5:cf:73 brd ff:ff:ff:ff:ff:ff
      inet 192.168.1.1/24 brd 192.168.1.255 scope global qr-b013ad9f-b1
         valid_lft forever preferred_lft forever
      inet6 fe80::f816:3eff:fec5:cf73/64 scope link 
         valid_lft forever preferred_lft forever

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
  110: sg-66024492-92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
      link/ether fa:16:3e:85:3b:0a brd ff:ff:ff:ff:ff:ff

  
  Below is the wrong place, please focus on the name of 'sg-'port name and 'rfp-' port name:

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau

  [root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau

  
  We can see 'sg-' port name and 'rfp-' port name are different from the correct names.
  The correct name is below:

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-fwaas-defau

  [root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau

  I have checked the code of l3-agent, the name of 'sg-' port name comes
  from the port id of snat_interface, and 'rfp-' port name comes from
  router id.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1798577/+subscriptions


Follow ups