yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1798577] Re: [FWaas-DVR]wrong port name in iptables rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Haley <1798577@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Jun 2024 15:39:38 -0000
Reply-to: Bug 1798577 <1798577@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Closing as the patch has been abandoned and no progress for many years.
Please re-open if anyone intends to work on it. Thanks.

** Changed in: neutron
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1798577

Title:
  [FWaas-DVR]wrong port name in iptables rules

Status in neutron:
  Won't Fix

Bug description:
  Bug description:
  In DVR model, when we bind a FWG on a gateway port, the port names(sg port and rfp port) in iptables rules are wrong.

  
  Steps:
  1.create a firewall group named fw
  2.create a router(id:0cbd237f-358a-4c27-8047-c50e1f7201e7),add a subnet's gateway port(id:b013ad9f-b11f-4fd4-b458-490e3da38527) to this router
  3.bind FWG fw on gateway port (b013ad9f-b11f-4fd4-b458-490e3da38527)

  
  Here is my environment:
  [root@vm ~]# openstack firewall group show fw
  +-------------------+-------------------------------------------+
  | Field             | Value                                     |
  +-------------------+-------------------------------------------+
  | Description       |                                           |
  | Egress Policy ID  | c907b32c-b2e8-4e7f-a38a-64e5f9f11942      |
  | ID                | deb36e9f-0908-43c7-a51d-9a71b97fc756      |
  | Ingress Policy ID | 3996f090-8e8d-48c5-a3de-4ba2c88ff935      |
  | Name              | fw                                        |
  | Ports             | [u'b013ad9f-b11f-4fd4-b458-490e3da38527'] |
  | Project           | 9355437b66f64e8999e30978a7b3c33c          |
  | Shared            | False                                     |
  | State             | UP                                        |
  | Status            | ACTIVE                                    |
  | project_id        | 9355437b66f64e8999e30978a7b3c33c          |
  +-------------------+-------------------------------------------+

  [root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
  2: rfp-0cbd237f-3@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
      link/ether 6e:22:a5:20:18:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
      inet 169.254.106.114/31 scope global rfp-0cbd237f-3
         valid_lft forever preferred_lft forever
  109: qr-b013ad9f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
      link/ether fa:16:3e:c5:cf:73 brd ff:ff:ff:ff:ff:ff
      inet 192.168.1.1/24 brd 192.168.1.255 scope global qr-b013ad9f-b1
         valid_lft forever preferred_lft forever
      inet6 fe80::f816:3eff:fec5:cf73/64 scope link 
         valid_lft forever preferred_lft forever

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
  110: sg-66024492-92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
      link/ether fa:16:3e:85:3b:0a brd ff:ff:ff:ff:ff:ff

  
  Below is the wrong place, please focus on the name of 'sg-'port name and 'rfp-' port name:

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau

  [root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau

  
  We can see 'sg-' port name and 'rfp-' port name are different from the correct names.
  The correct name is below:

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-fwaas-defau

  [root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-iv4deb36e9f
  -A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-ov4deb36e9f
  -A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau

  I have checked the code of l3-agent, the name of 'sg-' port name comes
  from the port id of snat_interface, and 'rfp-' port name comes from
  router id.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1798577/+subscriptions
References

[Bug 1798577] [NEW] [FWaas-DVR]wrong port name in iptables rules
From: Wang Weijia, 2018-10-18