[Openstack] Creating a FWaaS 'destroy's the router

Tyler Bishop tyler.bishop at beyondhosting.net
Wed Sep 14 14:20:13 UTC 2016 

Can you post your vpn_agent.ini neutron_vpnaas.conf and neutron.conf?


If you are not the intended recipient of this transmission you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

----- Original Message -----
From: "Turbo Fredriksson" <turbo at bayour.com>
To: "openstack List" <openstack at lists.openstack.org>
Sent: Saturday, August 13, 2016 8:06:23 AM
Subject: [Openstack] Creating a FWaaS 'destroy's the router

I have one provider/physical network, one router and several
tenant networks (with one subnet each).

Creating instances on all of these subnets works just fine. I
can access them and they can access 'the world'.


But as soon as I create a new tenant network, a subnet on that
and then a firewall (with rules and a policy) for that network,
ALL routing (?) stops on the other networks and subnets.


Comparing the iptables rules before and after, I see that it's
adding the following rules ('-1' is before and '-2' is after):

----- s n i p -----
bladeA01:~# grep neutron-fwaas-l3-fwaas-defau netns-iptables-save.txt-[12]
netns-iptables-save.txt-2::neutron-fwaas-l3-fwaas-defau - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j neutron-fwaas-l3-fwaas-defau
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j neutron-fwaas-l3-fwaas-defau
netns-iptables-save.txt-2:-A neutron-fwaas-l3-fwaas-defau -j DROP
----- s n i p -----

And these are the rules I was after:

----- s n i p -----
bladeA01:~# grep neutron-fwaas-l3-iv432704c9f netns-iptables-save.txt-[12]
netns-iptables-save.txt-2::neutron-fwaas-l3-iv432704c9f - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j neutron-fwaas-l3-iv432704c9f
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state INVALID -j DROP
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state RELATED,ESTABLISHED -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 80 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 443 -j ACCEPT
bladeA01:~# grep neutron-fwaas-l3-ov432704c9f netns-iptables-save.txt-[12] 
netns-iptables-save.txt-2::neutron-fwaas-l3-ov432704c9f - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j neutron-fwaas-l3-ov432704c9f
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state INVALID -j DROP
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state RELATED,ESTABLISHED -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 80 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 443 -j ACCEPT
----- s n i p -----

See the following for the full saves:

  http://bayour.com/misc/iptables-save-1.txt
  http://bayour.com/misc/iptables-save-2.txt


I'm not sure if this is a bug or a 'expected behavior', but I had kind'a
expected that when I ticked/set 'shared=false' that it wouldn't "mess"
with my other networks..

This because my other networks instances is 'protected' by security
groups, not the firewall..
--
If something's hard to do, then it's not worth doing.
- Homer Simpson


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list