yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75318
[Bug 1798713] [NEW] [fwaas]wrong judgment in _is_supported_by_fw_l2_driver method
Public bug reported:
Bug description:
the scenario:security group is enabled and its firewall_driver = openvswitch, fwaas is enabled and its firewall_l2_driver = noop(default).
If I create a new vm, default FWG will be bound on this vm's port automatically. However, firewall_l2_driver = noop and I don't want to use fwaas in L2.
This bug is caused by the judgment in _is_supported_by_fw_l2_driver method.
My environment is below:
[root@vm neutron]# cat plugins/ml2/openvswitch_agent.ini
[securitygroup]
firewall_driver = openvswitch
enable_security_group = true
[root@vm neutron]# cat l3_agent.ini
[DEFAULT]
verbose = true
interface_driver = openvswitch
agent_mode = dvr_snat
[agent]
extensions = fwaas_v2
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True
Steps:
Create a new vm(port id: e822d587-5a4d-4124-9c31-a113d773cea8)
Then default firewall group was bound on vm's port automatically:
[root@vm neutron]# openstack firewall group show 7a5265b4-e69b-4633-af34-2224a10c1e90
+-------------------+-------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------+
| Description | Default firewall group |
| Egress Policy ID | 1747c29b-0a7c-4bda-b362-8e9870a96724 |
| ID | 7a5265b4-e69b-4633-af34-2224a10c1e90 |
| Ingress Policy ID | 5d3cfbff-7c84-4c55-85b4-170cdbc09c35 |
| Name | default |
| Ports | [u'e822d587-5a4d-4124-9c31-a113d773cea8'] |
| Project | 9355437b66f64e8999e30978a7b3c33c |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| project_id | 9355437b66f64e8999e30978a7b3c33c |
+-------------------+-------------------------------------------+
Here is every scenario of security group and fwaas:
|ID|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
|:-|:------------------|:---------------|:-----------------------------|
|1 |noop | openvswitch | True |
|2 |noop | others(*1) | False|
|3 |openvswitch | openvswitch | False |
|4 |openvswitch | others | True|
The correct is as follows:
|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
|:------------------|:---------------|:-----------------------------|
|noop | openvswitch | False|
|noop | others(*1) | False|
|openvswitch | openvswitch | False |
|openvswitch | others | True |
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1798713
Title:
[fwaas]wrong judgment in _is_supported_by_fw_l2_driver method
Status in neutron:
New
Bug description:
Bug description:
the scenario:security group is enabled and its firewall_driver = openvswitch, fwaas is enabled and its firewall_l2_driver = noop(default).
If I create a new vm, default FWG will be bound on this vm's port automatically. However, firewall_l2_driver = noop and I don't want to use fwaas in L2.
This bug is caused by the judgment in _is_supported_by_fw_l2_driver method.
My environment is below:
[root@vm neutron]# cat plugins/ml2/openvswitch_agent.ini
[securitygroup]
firewall_driver = openvswitch
enable_security_group = true
[root@vm neutron]# cat l3_agent.ini
[DEFAULT]
verbose = true
interface_driver = openvswitch
agent_mode = dvr_snat
[agent]
extensions = fwaas_v2
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True
Steps:
Create a new vm(port id: e822d587-5a4d-4124-9c31-a113d773cea8)
Then default firewall group was bound on vm's port automatically:
[root@vm neutron]# openstack firewall group show 7a5265b4-e69b-4633-af34-2224a10c1e90
+-------------------+-------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------+
| Description | Default firewall group |
| Egress Policy ID | 1747c29b-0a7c-4bda-b362-8e9870a96724 |
| ID | 7a5265b4-e69b-4633-af34-2224a10c1e90 |
| Ingress Policy ID | 5d3cfbff-7c84-4c55-85b4-170cdbc09c35 |
| Name | default |
| Ports | [u'e822d587-5a4d-4124-9c31-a113d773cea8'] |
| Project | 9355437b66f64e8999e30978a7b3c33c |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| project_id | 9355437b66f64e8999e30978a7b3c33c |
+-------------------+-------------------------------------------+
Here is every scenario of security group and fwaas:
|ID|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
|:-|:------------------|:---------------|:-----------------------------|
|1 |noop | openvswitch | True |
|2 |noop | others(*1) | False|
|3 |openvswitch | openvswitch | False |
|4 |openvswitch | others | True|
The correct is as follows:
|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
|:------------------|:---------------|:-----------------------------|
|noop | openvswitch | False|
|noop | others(*1) | False|
|openvswitch | openvswitch | False |
|openvswitch | others | True |
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1798713/+subscriptions
Follow ups
