yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1925789] [NEW] neutron fwaas2 l3 - inconsistent order of jump rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Victor Serbu <1925789@xxxxxxxxxxxxxxxxxx>
Date: Fri, 23 Apr 2021 11:54:27 -0000
Reply-to: Bug 1925789 <1925789@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Scenario:
I have a router with 2 internal interfaces.
each port of router is assigned to a different firewall group (port1 in firewall group fg1, port2 in firewall group fg2).
If I remove port1 from fg1, l3 agent remove port1 rules from iptables filter chain. 
But then if I insert again port1 in fg1, port1 firewall rules are inserted at the end of iptables filter chain.

#initial
#port1 in fg1, port2 in fg2
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
:neutron-l3-agent-scope - [0:0]
:neutron-l3-agent-accepted - [0:0]
:neutron-l3-agent-dropped - [0:0]
:neutron-l3-agent-rejected - [0:0]
:neutron-l3-agent-fwaas-defau - [0:0]
:neutron-l3-agent-iv4a43875cf - [0:0]
:neutron-l3-agent-ov4a43875cf - [0:0]
:neutron-l3-agent-iv451003ddf - [0:0]
:neutron-l3-agent-ov451003ddf - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-iv4a43875cf
-A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-ov4a43875cf
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-accepted -j ACCEPT
-A neutron-l3-agent-dropped -j DROP
-A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
-A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv4a43875cf -s 10.170.0.0/24 -d 10.160.0.0/24 -j neutron-l3-agent-accepted
-A neutron-l3-agent-ov4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
COMMIT

#remove port1 from fg1
iptables-save
....
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-accepted -j ACCEPT
-A neutron-l3-agent-dropped -j DROP
-A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
-A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
COMMIT

#insert again port1 in fg1
iptables-save
....
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
-A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
-A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-iv4a43875cf
-A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-ov4a43875cf
-A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-accepted -j ACCEPT
-A neutron-l3-agent-dropped -j DROP
-A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
-A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
-A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1925789

Title:
  neutron fwaas2 l3 - inconsistent order of jump rules

Status in neutron:
  New

Bug description:
  Scenario:
  I have a router with 2 internal interfaces.
  each port of router is assigned to a different firewall group (port1 in firewall group fg1, port2 in firewall group fg2).
  If I remove port1 from fg1, l3 agent remove port1 rules from iptables filter chain. 
  But then if I insert again port1 in fg1, port1 firewall rules are inserted at the end of iptables filter chain.

  #initial
  #port1 in fg1, port2 in fg2
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :neutron-filter-top - [0:0]
  :neutron-l3-agent-FORWARD - [0:0]
  :neutron-l3-agent-INPUT - [0:0]
  :neutron-l3-agent-OUTPUT - [0:0]
  :neutron-l3-agent-local - [0:0]
  :neutron-l3-agent-scope - [0:0]
  :neutron-l3-agent-accepted - [0:0]
  :neutron-l3-agent-dropped - [0:0]
  :neutron-l3-agent-rejected - [0:0]
  :neutron-l3-agent-fwaas-defau - [0:0]
  :neutron-l3-agent-iv4a43875cf - [0:0]
  :neutron-l3-agent-ov4a43875cf - [0:0]
  :neutron-l3-agent-iv451003ddf - [0:0]
  :neutron-l3-agent-ov451003ddf - [0:0]
  -A INPUT -j neutron-l3-agent-INPUT
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-l3-agent-FORWARD
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  -A neutron-filter-top -j neutron-l3-agent-local
  -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
  -A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-iv4a43875cf
  -A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-ov4a43875cf
  -A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
  -A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
  -A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  -A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
  -A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
  -A neutron-l3-agent-accepted -j ACCEPT
  -A neutron-l3-agent-dropped -j DROP
  -A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
  -A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-iv4a43875cf -s 10.170.0.0/24 -d 10.160.0.0/24 -j neutron-l3-agent-accepted
  -A neutron-l3-agent-ov4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
  COMMIT

  #remove port1 from fg1
  iptables-save
  ....
  -A neutron-filter-top -j neutron-l3-agent-local
  -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
  -A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
  -A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
  -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  -A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
  -A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
  -A neutron-l3-agent-accepted -j ACCEPT
  -A neutron-l3-agent-dropped -j DROP
  -A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
  -A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
  COMMIT

  #insert again port1 in fg1
  iptables-save
  ....
  -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
  -A neutron-l3-agent-FORWARD -o qr-16bfccec-5c -j neutron-l3-agent-iv451003ddf
  -A neutron-l3-agent-FORWARD -i qr-16bfccec-5c -j neutron-l3-agent-ov451003ddf
  -A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-iv4a43875cf
  -A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-ov4a43875cf
  -A neutron-l3-agent-FORWARD -o qr-4fd4f4f5-60 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i qr-4fd4f4f5-60 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  -A neutron-l3-agent-scope -o qr-16bfccec-5c -m mark ! --mark 0x4000000/0xffff0000 -j DROP
  -A neutron-l3-agent-scope -o qr-4fd4f4f5-60 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
  -A neutron-l3-agent-accepted -j ACCEPT
  -A neutron-l3-agent-dropped -j DROP
  -A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
  -A neutron-l3-agent-iv451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov451003ddf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov451003ddf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov451003ddf -s 10.170.0.128/25 -d 10.160.0.128/25 -j neutron-l3-agent-accepted
  -A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov4a43875cf -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov4a43875cf -m state --state RELATED,ESTABLISHED -j ACCEPT

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1925789/+subscriptions