yahoo-eng-team team mailing list archive

[Yushiro FURUKAWA <y.furukawa_2@xxxxxxxxxxxxxx>]

First of all, "firewall_l2_driver" parameter is not for controling
default FWG behavior but configuring firewall group L2 driver.  We've
implemented that default FWG is not as an optional feature but basic
one.  Therefore, I don't think it's a bug.  Do you want to disable
default FWG association?  If so, please file a new bug-report as "RFE"
and your motivation/use-case.  Thanks.

In addition, we're trying to "ovs" as a default firewall L2 driver[1]

[1]https://review.openstack.org/#/c/605866/

** Changed in: neutron
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1798713

Title:
  [fwaas]wrong judgment in _is_supported_by_fw_l2_driver method

Status in neutron:
  Invalid

Bug description:
  Bug description:
  the scenario:security group is enabled and its firewall_driver = openvswitch, fwaas is enabled and its firewall_l2_driver = noop(default).
  If I create a new vm, default FWG will be bound on this vm's port automatically. However, firewall_l2_driver = noop and I don't want to use fwaas in L2.
  This bug is caused by the judgment in _is_supported_by_fw_l2_driver method.


  My environment is below:
  [root@vm neutron]# cat plugins/ml2/openvswitch_agent.ini
  [securitygroup]
  firewall_driver = openvswitch
  enable_security_group = true

  [root@vm neutron]# cat l3_agent.ini
  [DEFAULT]
  verbose = true
  interface_driver = openvswitch
  agent_mode = dvr_snat

  [agent]
  extensions = fwaas_v2

  [fwaas]
  agent_version = v2
  driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
  enabled = True


  Steps:
  Create a new vm(port id: e822d587-5a4d-4124-9c31-a113d773cea8)

  Then default firewall group was bound on vm's port automatically:
  [root@vm neutron]# openstack firewall group show 7a5265b4-e69b-4633-af34-2224a10c1e90
  +-------------------+-------------------------------------------+
  | Field             | Value                                     |
  +-------------------+-------------------------------------------+
  | Description       | Default firewall group                    |
  | Egress Policy ID  | 1747c29b-0a7c-4bda-b362-8e9870a96724      |
  | ID                | 7a5265b4-e69b-4633-af34-2224a10c1e90      |
  | Ingress Policy ID | 5d3cfbff-7c84-4c55-85b4-170cdbc09c35      |
  | Name              | default                                   |
  | Ports             | [u'e822d587-5a4d-4124-9c31-a113d773cea8'] |
  | Project           | 9355437b66f64e8999e30978a7b3c33c          |
  | Shared            | False                                     |
  | State             | UP                                        |
  | Status            | ACTIVE                                    |
  | project_id        | 9355437b66f64e8999e30978a7b3c33c          |
  +-------------------+-------------------------------------------+


  
  Here is every scenario of security group and fwaas:
  |ID|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
  |:-|:------------------|:---------------|:-----------------------------|
  |1 |noop               | openvswitch    | True |
  |2 |noop               | others(*1)     | False|
  |3 |openvswitch        | openvswitch    | False |
  |4 |openvswitch        | others         | True|

  
  The correct is as follows:

  |firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver|
  |:------------------|:---------------|:-----------------------------|
  |noop               | openvswitch    | False|
  |noop               | others(*1)     | False|
  |openvswitch        | openvswitch    | False |
  |openvswitch        | others         | True |

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1798713/+subscriptions