yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75308
[Bug 1798577] [NEW] [FWaas-DVR]wrong port name in iptables rules
Public bug reported:
Bug description:
In DVR model, when we bind a FWG on a gateway port, the port names(sg port and rfp port) in iptables rules are wrong.
Steps:
1.create a firewall group named fw
2.create a router(id:0cbd237f-358a-4c27-8047-c50e1f7201e7),add a subnet's gateway port(id:b013ad9f-b11f-4fd4-b458-490e3da38527) to this router
3.bind FWG fw on gateway port (b013ad9f-b11f-4fd4-b458-490e3da38527)
Here is my environment:
[root@vm ~]# openstack firewall group show fw
+-------------------+-------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------+
| Description | |
| Egress Policy ID | c907b32c-b2e8-4e7f-a38a-64e5f9f11942 |
| ID | deb36e9f-0908-43c7-a51d-9a71b97fc756 |
| Ingress Policy ID | 3996f090-8e8d-48c5-a3de-4ba2c88ff935 |
| Name | fw |
| Ports | [u'b013ad9f-b11f-4fd4-b458-490e3da38527'] |
| Project | 9355437b66f64e8999e30978a7b3c33c |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| project_id | 9355437b66f64e8999e30978a7b3c33c |
+-------------------+-------------------------------------------+
[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
2: rfp-0cbd237f-3@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 6e:22:a5:20:18:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.106.114/31 scope global rfp-0cbd237f-3
valid_lft forever preferred_lft forever
109: qr-b013ad9f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
link/ether fa:16:3e:c5:cf:73 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global qr-b013ad9f-b1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fec5:cf73/64 scope link
valid_lft forever preferred_lft forever
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
110: sg-66024492-92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
link/ether fa:16:3e:85:3b:0a brd ff:ff:ff:ff:ff:ff
Below is the wrong place, please focus on the name of 'sg-'port name and 'rfp-' port name:
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
We can see 'sg-' port name and 'rfp-' port name are different from the correct names.
The correct name is below:
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-fwaas-defau
[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
I have checked the code of l3-agent, the name of 'sg-' port name comes
from the port id of snat_interface, and 'rfp-' port name comes from
router id.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1798577
Title:
[FWaas-DVR]wrong port name in iptables rules
Status in neutron:
New
Bug description:
Bug description:
In DVR model, when we bind a FWG on a gateway port, the port names(sg port and rfp port) in iptables rules are wrong.
Steps:
1.create a firewall group named fw
2.create a router(id:0cbd237f-358a-4c27-8047-c50e1f7201e7),add a subnet's gateway port(id:b013ad9f-b11f-4fd4-b458-490e3da38527) to this router
3.bind FWG fw on gateway port (b013ad9f-b11f-4fd4-b458-490e3da38527)
Here is my environment:
[root@vm ~]# openstack firewall group show fw
+-------------------+-------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------+
| Description | |
| Egress Policy ID | c907b32c-b2e8-4e7f-a38a-64e5f9f11942 |
| ID | deb36e9f-0908-43c7-a51d-9a71b97fc756 |
| Ingress Policy ID | 3996f090-8e8d-48c5-a3de-4ba2c88ff935 |
| Name | fw |
| Ports | [u'b013ad9f-b11f-4fd4-b458-490e3da38527'] |
| Project | 9355437b66f64e8999e30978a7b3c33c |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| project_id | 9355437b66f64e8999e30978a7b3c33c |
+-------------------+-------------------------------------------+
[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
2: rfp-0cbd237f-3@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 6e:22:a5:20:18:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.106.114/31 scope global rfp-0cbd237f-3
valid_lft forever preferred_lft forever
109: qr-b013ad9f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
link/ether fa:16:3e:c5:cf:73 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global qr-b013ad9f-b1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fec5:cf73/64 scope link
valid_lft forever preferred_lft forever
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
110: sg-66024492-92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
link/ether fa:16:3e:85:3b:0a brd ff:ff:ff:ff:ff:ff
Below is the wrong place, please focus on the name of 'sg-'port name and 'rfp-' port name:
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
We can see 'sg-' port name and 'rfp-' port name are different from the correct names.
The correct name is below:
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-fwaas-defau
[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
I have checked the code of l3-agent, the name of 'sg-' port name comes
from the port id of snat_interface, and 'rfp-' port name comes from
router id.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1798577/+subscriptions
Follow ups
