Hi Brian,

Thanks for your reply.

We are using Queens release. FWAAS_v2 for sure doesn't work with DVR but without dvr it's all fine. I think the way dvr does the routing east-west (across two internal subnets) would never be able to work with iptables, because it's too complex to handle it. Probably that's why community is moving towards ovs rules. However, I made a few changes in the code to make the north-south firewall workable, will push a code change sometime soon after cleanup.

Salman

On Tue, Aug 27, 2019 at 10:00 PM Brian Haley <haleyb.dev@gmail.com> wrote:

Hi Salman,

On 8/21/19 2:49 PM, Salman Khan wrote:
> Hi Guys,
>
> I asked this question over #openstack-neutron channel but didn't get any
> answer, so asking here in a hope that someone might read this email and
> reply.
> The problem is: I have enabled FWAAS_V2 with DVR and that doesn't seem
> to work. I debugged things down to router namespaces and it looks like
> iptables rules are applied to rfp-<network-id> interface which doesn't
> exist in that namespace. So rules are completely wrong as they are
> applied to an interface that doesn't exist, I mean there is rfp-*
> interface but the <network-id> that fwaas expecting is not what it
> should be. I tried applying the rules to qr-* interfaces in the
> namespace but that didn't work as well, packets are dropping on
> "invalid" state rule. That's probably because of nat rules from dvr.
> Can someone please help me to understand this behaviour. Is it really
> suppose to work or not. If there is any bug or fix pending or there is
> any work ongoing to support this.

Can you tell what version of neutron/neutron-fwaas you are using?

Short of that I believe it should work, the only bug I found that seems
related and was fixed recently (end of 2018) was
https://bugs.launchpad.net/neutron/+bug/1762454 so maybe take a look at
that and see if is the same thing.

Otherwise maybe someone on the Fwaas team has seen it?

-Brian