neutron

[FWaas-DVR]wrong port name in iptables rules

Bug #1798577 reported by Wang Weijia
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
In Progress
Medium
Wang Weijia

Bug Description

Bug description:
In DVR model, when we bind a FWG on a gateway port, the port names(sg port and rfp port) in iptables rules are wrong.

Steps:
1.create a firewall group named fw
2.create a router(id:0cbd237f-358a-4c27-8047-c50e1f7201e7),add a subnet's gateway port(id:b013ad9f-b11f-4fd4-b458-490e3da38527) to this router
3.bind FWG fw on gateway port (b013ad9f-b11f-4fd4-b458-490e3da38527)

Here is my environment:
[root@vm ~]# openstack firewall group show fw
+-------------------+-------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------+
| Description | |
| Egress Policy ID | c907b32c-b2e8-4e7f-a38a-64e5f9f11942 |
| ID | deb36e9f-0908-43c7-a51d-9a71b97fc756 |
| Ingress Policy ID | 3996f090-8e8d-48c5-a3de-4ba2c88ff935 |
| Name | fw |
| Ports | [u'b013ad9f-b11f-4fd4-b458-490e3da38527'] |
| Project | 9355437b66f64e8999e30978a7b3c33c |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| project_id | 9355437b66f64e8999e30978a7b3c33c |
+-------------------+-------------------------------------------+

[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
2: rfp-0cbd237f-3@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 6e:22:a5:20:18:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.106.114/31 scope global rfp-0cbd237f-3
       valid_lft forever preferred_lft forever
109: qr-b013ad9f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:c5:cf:73 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global qr-b013ad9f-b1
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fec5:cf73/64 scope link
       valid_lft forever preferred_lft forever

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 ip a
110: sg-66024492-92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN qlen 1000
    link/ether fa:16:3e:85:3b:0a brd ff:ff:ff:ff:ff:ff

Below is the wrong place, please focus on the name of 'sg-'port name and 'rfp-' port name:

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-b013ad9f-b1 -j neutron-l3-agent-fwaas-defau

[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-b013ad9f-b -j neutron-l3-agent-fwaas-defau

We can see 'sg-' port name and 'rfp-' port name are different from the correct names.
The correct name is below:

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o sg-66024492-92 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i sg-66024492-92 -j neutron-l3-agent-fwaas-defau

[root@vm ~]# ip netns exec qrouter-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-iv4deb36e9f
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-ov4deb36e9f
-A neutron-l3-agent-FORWARD -o rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i rfp-0cbd237f-3 -j neutron-l3-agent-fwaas-defau

I have checked the code of l3-agent, the name of 'sg-' port name comes from the port id of snat_interface, and 'rfp-' port name comes from router id.

Revision history for this message
Wang Weijia (wangweij) wrote :

I have commit the solution in this patch:
https://review.openstack.org/#/c/606007/

Welcome to review:)

Yushiro FURUKAWA (y-furukawa-2)
Changed in neutron:
status: New → Confirmed
Revision history for this message
Yushiro FURUKAWA (y-furukawa-2) wrote :

Thanks for filing a bug. Let me check this behavior again.

Changed in neutron:
assignee: nobody → Wang Weijia (wangweij)
Brian Haley (brian-haley)
Changed in neutron:
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-fwaas (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/606007
Reason: As we are going to deprecate master branch in this project this patch is not needed anymore.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.