yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #91468
[Bug 2009705] [NEW] Openstack Zed - firewall group status doesn't change to ACTIVE.
Public bug reported:
Firewall group status doesn't change to ACTIVE,. The same behavior with
default firewall group.
$ openstack firewall group show 3e25ff35-65fc-4438-8684-806904186b8e
+-------------------+------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------+
| Description | |
| Egress Policy ID | c17c818a-d6aa-4100-89f5-76e2d6cbb790 |
| ID | 3e25ff35-65fc-4438-8684-806904186b8e |
| Ingress Policy ID | 17d9d11c-ad69-4773-b853-db686da86994 |
| Name | |
| Ports | ['f890e2c4-019e-494d-bd77-04fcdd683b4c'] |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| State | UP |
| Status | INACTIVE |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+-------------------+------------------------------------------+
$ openstack firewall group policy show c17c818a-d6aa-4100-89f5-76e2d6cbb790
+----------------+------------------------------------------+
| Field | Value |
+----------------+------------------------------------------+
| Audited | False |
| Description | |
| Firewall Rules | ['0cffb2ac-ab27-4b05-a853-b7f3f9472b3e'] |
| ID | c17c818a-d6aa-4100-89f5-76e2d6cbb790 |
| Name | block80 |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+----------------+------------------------------------------+
$ openstack firewall group policy show 17d9d11c-ad69-4773-b853-db686da86994
+----------------+------------------------------------------+
| Field | Value |
+----------------+------------------------------------------+
| Audited | False |
| Description | |
| Firewall Rules | ['c9c0c1b6-2400-41e2-9c29-b3c1212f2470'] |
| ID | 17d9d11c-ad69-4773-b853-db686da86994 |
| Name | allowAll |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+----------------+------------------------------------------+
$ openstack firewall group rule show 0cffb2ac-ab27-4b05-a853-b7f3f9472b3e
+------------------------+------------------------------------------+
| Field | Value |
+------------------------+------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 192.168.2.0/24 |
| Destination Port | 80 |
| Enabled | True |
| ID | 0cffb2ac-ab27-4b05-a853-b7f3f9472b3e |
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['c17c818a-d6aa-4100-89f5-76e2d6cbb790'] |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+------------------------+------------------------------------------+
$ openstack firewall group rule show c9c0c1b6-2400-41e2-9c29-b3c1212f2470
+------------------------+------------------------------------------+
| Field | Value |
+------------------------+------------------------------------------+
| Action | allow |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | c9c0c1b6-2400-41e2-9c29-b3c1212f2470 |
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Protocol | any |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['17d9d11c-ad69-4773-b853-db686da86994'] |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+------------------------+------------------------------------------+
$ openstack port show f890e2c4-019e-494d-bd77-04fcdd683b4c --max-width 90
+-------------------------+--------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | pr1-cmpi-05 |
| binding_profile | |
| binding_vif_details | bound_drivers.0='openvswitch', bridge_name='br-int', |
| | connectivity='l2', datapath_type='system', |
| | ovs_hybrid_plug='True', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2023-03-08T08:25:37Z |
| data_plane_status | None |
| description | |
| device_id | 3d623cee-b6ae-4b6f-ade8-320126bf9de2 |
| device_owner | network:ha_router_replicated_interface |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.2.1', |
| | subnet_id='0ba0f7f0-f1d1-4ac1-8d01-6d38f1a92444' |
| id | f890e2c4-019e-494d-bd77-04fcdd683b4c |
| ip_allocation | None |
| mac_address | fa:16:3e:5b:06:a8 |
| name | |
| network_id | 3fc6a7af-a12e-4cd0-977e-6a413d7078ae |
| numa_affinity_policy | None |
| port_security_enabled | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
| propagate_uplink_status | None |
| qos_network_policy_id | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 10 |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2023-03-08T11:56:03Z |
+-------------------------+--------------------------------------------------------------+
Environment detail:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
$ pip3 list | egrep 'neutron|fwaas'
neutron 21.0.1.dev106
neutron-fwaas 17.0.0
neutron-lib 3.1.0
neutron-vpnaas 21.0.0
python-neutronclient 8.1.0
$ cat /etc/neutron/neutron.conf | egrep 'firewall|fwaas'
...
service_plugins = router, firewall_v2
...
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
...
$ cat /etc/neutron/fwaas_driver.ini
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = true
$ cat /etc/neutron/plugins/ml2/ml2_conf.ini
[agent]
extensions = fwaas_v2
[fwaas]
firewall_l2_driver = noop
[ml2]
extension_drivers = port_security
mechanism_drivers = openvswitch,l2population
tenant_network_types = vxlan
type_drivers = flat,vlan,vxlan
[ml2_type_flat]
flat_networks = *
[ml2_type_vlan]
network_vlan_ranges = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
vxlan_group = 239.1.1.1
$ cat /etc/neutron/l3_agent.ini
[AGENT]
extensions = fwaas_v2
[DEFAULT]
agent_mode = legacy
interface_driver = openvswitch
ovs_use_veth = true
$ cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[agent]
arp_responder = true
l2_population = true
tunnel_types = vxlan
[ovs]
bridge_mappings = provider:br-ex
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
References links:
https://docs.openstack.org/neutron/zed/admin/fwaas-v2-scenario.html
https://docs.openstack.org/releasenotes/neutron-fwaas/zed.html
https://specs.openstack.org/openstack/neutron-specs/specs/zed/fwaas-group-ordering.html
https://superuser.openstack.org/articles/openstack-firewall-as-a-service-fwaas-the-basics-and-a-quick-tutorial
https://bugs.launchpad.net/cloud-archive/+bug/1832450
https://bugs.launchpad.net/neutron/+bug/1836015
https://bugs.launchpad.net/ubuntu/+source/neutron-fwaas/+bug/1839477
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2009705
Title:
Openstack Zed - firewall group status doesn't change to ACTIVE.
Status in neutron:
New
Bug description:
Firewall group status doesn't change to ACTIVE,. The same behavior
with default firewall group.
$ openstack firewall group show 3e25ff35-65fc-4438-8684-806904186b8e
+-------------------+------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------+
| Description | |
| Egress Policy ID | c17c818a-d6aa-4100-89f5-76e2d6cbb790 |
| ID | 3e25ff35-65fc-4438-8684-806904186b8e |
| Ingress Policy ID | 17d9d11c-ad69-4773-b853-db686da86994 |
| Name | |
| Ports | ['f890e2c4-019e-494d-bd77-04fcdd683b4c'] |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| State | UP |
| Status | INACTIVE |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+-------------------+------------------------------------------+
$ openstack firewall group policy show c17c818a-d6aa-4100-89f5-76e2d6cbb790
+----------------+------------------------------------------+
| Field | Value |
+----------------+------------------------------------------+
| Audited | False |
| Description | |
| Firewall Rules | ['0cffb2ac-ab27-4b05-a853-b7f3f9472b3e'] |
| ID | c17c818a-d6aa-4100-89f5-76e2d6cbb790 |
| Name | block80 |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+----------------+------------------------------------------+
$ openstack firewall group policy show 17d9d11c-ad69-4773-b853-db686da86994
+----------------+------------------------------------------+
| Field | Value |
+----------------+------------------------------------------+
| Audited | False |
| Description | |
| Firewall Rules | ['c9c0c1b6-2400-41e2-9c29-b3c1212f2470'] |
| ID | 17d9d11c-ad69-4773-b853-db686da86994 |
| Name | allowAll |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Shared | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+----------------+------------------------------------------+
$ openstack firewall group rule show 0cffb2ac-ab27-4b05-a853-b7f3f9472b3e
+------------------------+------------------------------------------+
| Field | Value |
+------------------------+------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 192.168.2.0/24 |
| Destination Port | 80 |
| Enabled | True |
| ID | 0cffb2ac-ab27-4b05-a853-b7f3f9472b3e |
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['c17c818a-d6aa-4100-89f5-76e2d6cbb790'] |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+------------------------+------------------------------------------+
$ openstack firewall group rule show c9c0c1b6-2400-41e2-9c29-b3c1212f2470
+------------------------+------------------------------------------+
| Field | Value |
+------------------------+------------------------------------------+
| Action | allow |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | c9c0c1b6-2400-41e2-9c29-b3c1212f2470 |
| IP Version | 4 |
| Name | |
| Project | 1b0ab3547b42494096ac06400d65671a |
| Protocol | any |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | ['17d9d11c-ad69-4773-b853-db686da86994'] |
| project_id | 1b0ab3547b42494096ac06400d65671a |
+------------------------+------------------------------------------+
$ openstack port show f890e2c4-019e-494d-bd77-04fcdd683b4c --max-width 90
+-------------------------+--------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | pr1-cmpi-05 |
| binding_profile | |
| binding_vif_details | bound_drivers.0='openvswitch', bridge_name='br-int', |
| | connectivity='l2', datapath_type='system', |
| | ovs_hybrid_plug='True', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2023-03-08T08:25:37Z |
| data_plane_status | None |
| description | |
| device_id | 3d623cee-b6ae-4b6f-ade8-320126bf9de2 |
| device_owner | network:ha_router_replicated_interface |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.2.1', |
| | subnet_id='0ba0f7f0-f1d1-4ac1-8d01-6d38f1a92444' |
| id | f890e2c4-019e-494d-bd77-04fcdd683b4c |
| ip_allocation | None |
| mac_address | fa:16:3e:5b:06:a8 |
| name | |
| network_id | 3fc6a7af-a12e-4cd0-977e-6a413d7078ae |
| numa_affinity_policy | None |
| port_security_enabled | False |
| project_id | 1b0ab3547b42494096ac06400d65671a |
| propagate_uplink_status | None |
| qos_network_policy_id | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 10 |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2023-03-08T11:56:03Z |
+-------------------------+--------------------------------------------------------------+
Environment detail:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
$ pip3 list | egrep 'neutron|fwaas'
neutron 21.0.1.dev106
neutron-fwaas 17.0.0
neutron-lib 3.1.0
neutron-vpnaas 21.0.0
python-neutronclient 8.1.0
$ cat /etc/neutron/neutron.conf | egrep 'firewall|fwaas'
...
service_plugins = router, firewall_v2
...
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
...
$ cat /etc/neutron/fwaas_driver.ini
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = true
$ cat /etc/neutron/plugins/ml2/ml2_conf.ini
[agent]
extensions = fwaas_v2
[fwaas]
firewall_l2_driver = noop
[ml2]
extension_drivers = port_security
mechanism_drivers = openvswitch,l2population
tenant_network_types = vxlan
type_drivers = flat,vlan,vxlan
[ml2_type_flat]
flat_networks = *
[ml2_type_vlan]
network_vlan_ranges = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
vxlan_group = 239.1.1.1
$ cat /etc/neutron/l3_agent.ini
[AGENT]
extensions = fwaas_v2
[DEFAULT]
agent_mode = legacy
interface_driver = openvswitch
ovs_use_veth = true
$ cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[agent]
arp_responder = true
l2_population = true
tunnel_types = vxlan
[ovs]
bridge_mappings = provider:br-ex
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
References links:
https://docs.openstack.org/neutron/zed/admin/fwaas-v2-scenario.html
https://docs.openstack.org/releasenotes/neutron-fwaas/zed.html
https://specs.openstack.org/openstack/neutron-specs/specs/zed/fwaas-group-ordering.html
https://superuser.openstack.org/articles/openstack-firewall-as-a-service-fwaas-the-basics-and-a-quick-tutorial
https://bugs.launchpad.net/cloud-archive/+bug/1832450
https://bugs.launchpad.net/neutron/+bug/1836015
https://bugs.launchpad.net/ubuntu/+source/neutron-fwaas/+bug/1839477
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2009705/+subscriptions
Follow ups
