Public bug reported: Currently, we support VM port/router port to apply fwg. So we deep into L2 and L3 agent implementation to process the associated port for fwg.
For this bug, I will raise an example: Server side set fwg status -------------------------------- http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/fwaas_plugin_v2.py#n79 L3 agent FW extension for "create_firewall_group" ------------------------------------ http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent_v2.py#n387 L2 agent FW extension for "_create_firewarll_group" ------------------------------------ http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l2/fwaas_v2.py#n263 That means there is a case that the fwg status could be overrided. 1. port A, port B, they are in the same subnet, and its gw port is GW 2. Port A is VM A's nic, Port B is VM B's nic. 3. VM A locates on compute Node X, VM B locates on compute Node Y. 4. Create a FWG and its ingress/egress policy/rules with port A, B, GW So the server side will fanout the rpc to agent side, including l2/l3 agent. Then the agent side will process its local port and set the fwg status through rpc to server. But existing server code just update the status if the request status is not PENDING status. It will be in a wrong way to process the status, if there are 2 rpc to set status from agent to server, the first one is ERROR, the second one is ACTIVE. The status is overrided. ** Affects: neutron Importance: Undecided Status: New ** Tags: fwaas ** Tags added: fwaas -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1770575 Title: FWG status will be overided by mutilple l2 agent Status in neutron: New Bug description: Currently, we support VM port/router port to apply fwg. So we deep into L2 and L3 agent implementation to process the associated port for fwg. For this bug, I will raise an example: Server side set fwg status -------------------------------- http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/fwaas_plugin_v2.py#n79 L3 agent FW extension for "create_firewall_group" ------------------------------------ http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent_v2.py#n387 L2 agent FW extension for "_create_firewarll_group" ------------------------------------ http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l2/fwaas_v2.py#n263 That means there is a case that the fwg status could be overrided. 1. port A, port B, they are in the same subnet, and its gw port is GW 2. Port A is VM A's nic, Port B is VM B's nic. 3. VM A locates on compute Node X, VM B locates on compute Node Y. 4. Create a FWG and its ingress/egress policy/rules with port A, B, GW So the server side will fanout the rpc to agent side, including l2/l3 agent. Then the agent side will process its local port and set the fwg status through rpc to server. But existing server code just update the status if the request status is not PENDING status. It will be in a wrong way to process the status, if there are 2 rpc to set status from agent to server, the first one is ERROR, the second one is ACTIVE. The status is overrided. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1770575/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
