FWAAS V2 doesn't work with DVR
Hi Guys, I asked this question over #openstack-neutron channel but didn't get any answer, so asking here in a hope that someone might read this email and reply. The problem is: I have enabled FWAAS_V2 with DVR and that doesn't seem to work. I debugged things down to router namespaces and it looks like iptables rules are applied to rfp-<network-id> interface which doesn't exist in that namespace. So rules are completely wrong as they are applied to an interface that doesn't exist, I mean there is rfp-* interface but the <network-id> that fwaas expecting is not what it should be. I tried applying the rules to qr-* interfaces in the namespace but that didn't work as well, packets are dropping on "invalid" state rule. That's probably because of nat rules from dvr. Can someone please help me to understand this behaviour. Is it really suppose to work or not. If there is any bug or fix pending or there is any work ongoing to support this. Regards, Salman
Hi Salman, On 8/21/19 2:49 PM, Salman Khan wrote:
Hi Guys,
I asked this question over #openstack-neutron channel but didn't get any answer, so asking here in a hope that someone might read this email and reply. The problem is: I have enabled FWAAS_V2 with DVR and that doesn't seem to work. I debugged things down to router namespaces and it looks like iptables rules are applied to rfp-<network-id> interface which doesn't exist in that namespace. So rules are completely wrong as they are applied to an interface that doesn't exist, I mean there is rfp-* interface but the <network-id> that fwaas expecting is not what it should be. I tried applying the rules to qr-* interfaces in the namespace but that didn't work as well, packets are dropping on "invalid" state rule. That's probably because of nat rules from dvr. Can someone please help me to understand this behaviour. Is it really suppose to work or not. If there is any bug or fix pending or there is any work ongoing to support this.
Can you tell what version of neutron/neutron-fwaas you are using? Short of that I believe it should work, the only bug I found that seems related and was fixed recently (end of 2018) was https://bugs.launchpad.net/neutron/+bug/1762454 so maybe take a look at that and see if is the same thing. Otherwise maybe someone on the Fwaas team has seen it? -Brian
Hi Brian, Thanks for your reply. We are using Queens release. FWAAS_v2 for sure doesn't work with DVR but without dvr it's all fine. I think the way dvr does the routing east-west (across two internal subnets) would never be able to work with iptables, because it's too complex to handle it. Probably that's why community is moving towards ovs rules. However, I made a few changes in the code to make the north-south firewall workable, will push a code change sometime soon after cleanup. Salman On Tue, Aug 27, 2019 at 10:00 PM Brian Haley <haleyb.dev@gmail.com> wrote:
Hi Salman,
On 8/21/19 2:49 PM, Salman Khan wrote:
Hi Guys,
I asked this question over #openstack-neutron channel but didn't get any answer, so asking here in a hope that someone might read this email and reply. The problem is: I have enabled FWAAS_V2 with DVR and that doesn't seem to work. I debugged things down to router namespaces and it looks like iptables rules are applied to rfp-<network-id> interface which doesn't exist in that namespace. So rules are completely wrong as they are applied to an interface that doesn't exist, I mean there is rfp-* interface but the <network-id> that fwaas expecting is not what it should be. I tried applying the rules to qr-* interfaces in the namespace but that didn't work as well, packets are dropping on "invalid" state rule. That's probably because of nat rules from dvr. Can someone please help me to understand this behaviour. Is it really suppose to work or not. If there is any bug or fix pending or there is any work ongoing to support this.
Can you tell what version of neutron/neutron-fwaas you are using?
Short of that I believe it should work, the only bug I found that seems related and was fixed recently (end of 2018) was https://bugs.launchpad.net/neutron/+bug/1762454 so maybe take a look at that and see if is the same thing.
Otherwise maybe someone on the Fwaas team has seen it?
-Brian
participants (2)
-
Brian Haley
-
Salman Khan