[Openstack] Creating a FWaaS 'destroy's the router

Turbo Fredriksson turbo at bayour.com
Sat Aug 13 12:06:23 UTC 2016


I have one provider/physical network, one router and several
tenant networks (with one subnet each).

Creating instances on all of these subnets works just fine. I
can access them and they can access 'the world'.


But as soon as I create a new tenant network, a subnet on that
and then a firewall (with rules and a policy) for that network,
ALL routing (?) stops on the other networks and subnets.


Comparing the iptables rules before and after, I see that it's
adding the following rules ('-1' is before and '-2' is after):

----- s n i p -----
bladeA01:~# grep neutron-fwaas-l3-fwaas-defau netns-iptables-save.txt-[12]
netns-iptables-save.txt-2::neutron-fwaas-l3-fwaas-defau - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j neutron-fwaas-l3-fwaas-defau
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j neutron-fwaas-l3-fwaas-defau
netns-iptables-save.txt-2:-A neutron-fwaas-l3-fwaas-defau -j DROP
----- s n i p -----

And these are the rules I was after:

----- s n i p -----
bladeA01:~# grep neutron-fwaas-l3-iv432704c9f netns-iptables-save.txt-[12]
netns-iptables-save.txt-2::neutron-fwaas-l3-iv432704c9f - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j neutron-fwaas-l3-iv432704c9f
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state INVALID -j DROP
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state RELATED,ESTABLISHED -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 80 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 443 -j ACCEPT
bladeA01:~# grep neutron-fwaas-l3-ov432704c9f netns-iptables-save.txt-[12] 
netns-iptables-save.txt-2::neutron-fwaas-l3-ov432704c9f - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j neutron-fwaas-l3-ov432704c9f
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state INVALID -j DROP
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state RELATED,ESTABLISHED -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 80 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 443 -j ACCEPT
----- s n i p -----

See the following for the full saves:

  http://bayour.com/misc/iptables-save-1.txt
  http://bayour.com/misc/iptables-save-2.txt


I'm not sure if this is a bug or a 'expected behavior', but I had kind'a
expected that when I ticked/set 'shared=false' that it wouldn't "mess"
with my other networks..

This because my other networks instances is 'protected' by security
groups, not the firewall..
--
If something's hard to do, then it's not worth doing.
- Homer Simpson





More information about the Openstack mailing list