Hi Salman, On 8/21/19 2:49 PM, Salman Khan wrote:
Hi Guys,
I asked this question over #openstack-neutron channel but didn't get any answer, so asking here in a hope that someone might read this email and reply. The problem is: I have enabled FWAAS_V2 with DVR and that doesn't seem to work. I debugged things down to router namespaces and it looks like iptables rules are applied to rfp-<network-id> interface which doesn't exist in that namespace. So rules are completely wrong as they are applied to an interface that doesn't exist, I mean there is rfp-* interface but the <network-id> that fwaas expecting is not what it should be. I tried applying the rules to qr-* interfaces in the namespace but that didn't work as well, packets are dropping on "invalid" state rule. That's probably because of nat rules from dvr. Can someone please help me to understand this behaviour. Is it really suppose to work or not. If there is any bug or fix pending or there is any work ongoing to support this.
Can you tell what version of neutron/neutron-fwaas you are using? Short of that I believe it should work, the only bug I found that seems related and was fixed recently (end of 2018) was https://bugs.launchpad.net/neutron/+bug/1762454 so maybe take a look at that and see if is the same thing. Otherwise maybe someone on the Fwaas team has seen it? -Brian