The firewall group's function is failed in the dvr scene.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
Creating a firewall group with policies and 1 interface ports.
[root@test25g04 yuanshuo1]# openstack firewall group show ys-normal-fw1
+------
| Field | Value |
+------
| Description | |
| Egress Policy ID | 0910e062-
| ID | f3b8441a-
| Ingress Policy ID | 9873dfd4-
| Name | ys-normal-fw1 |
| Ports | [u'ef283f14-
| Project | 17bf57ec04994db
| Shared | False |
| State | UP |
| Status | ACTIVE |
| created_at | 2020-04-
| project_id | 17bf57ec04994db
| revision_number | 7 |
| tags | [] |
| updated_at | 2020-04-
+------
[root@test25g04 yuanshuo1]#
[root@test25g04 yuanshuo1]# ip netns exec snat-fd339f1d-
1: lo: <LOOPBACK,
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
6806: ha-ff2aff44-1c: <BROADCAST,
link/ether fa:16:3e:22:7e:32 brd ff:ff:ff:ff:ff:ff
inet 169.254.195.185/18 brd 169.254.255.255 scope global ha-ff2aff44-1c
valid_lft forever preferred_lft forever
inet 169.254.0.73/24 scope global ha-ff2aff44-1c
valid_lft forever preferred_lft forever
6811: sg-fa47642f-a8: <BROADCAST,
link/ether fa:16:3e:1a:06:64 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.164/24 scope global sg-fa47642f-a8
valid_lft forever preferred_lft forever
6812: qg-6c7ac163-0b: <BROADCAST,
link/ether fa:16:3e:d0:1e:70 brd ff:ff:ff:ff:ff:ff
inet 10.162.150.108/25 scope global qg-6c7ac163-0b
valid_lft forever preferred_lft forever
The chain of iptables for neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
21 1764 neutron-
0 0 neutron-
0 0 neutron-
0 0 neutron-
0 0 neutron-
But the interface sg-ef283f14-ed is not exist, so the the firewall group's function is failed in the dvr scene.
What version of neutron/fwaas are you running? Do you have any logs from the l3 or ovs agent you could share?