Can you post your vpn_agent.ini neutron_vpnaas.conf and neutron.conf?
If you are not the intended recipient of this transmission you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ----- Original Message ----- From: "Turbo Fredriksson" <[email protected]> To: "openstack List" <[email protected]> Sent: Saturday, August 13, 2016 8:06:23 AM Subject: [Openstack] Creating a FWaaS 'destroy's the router I have one provider/physical network, one router and several tenant networks (with one subnet each). Creating instances on all of these subnets works just fine. I can access them and they can access 'the world'. But as soon as I create a new tenant network, a subnet on that and then a firewall (with rules and a policy) for that network, ALL routing (?) stops on the other networks and subnets. Comparing the iptables rules before and after, I see that it's adding the following rules ('-1' is before and '-2' is after): ----- s n i p ----- bladeA01:~# grep neutron-fwaas-l3-fwaas-defau netns-iptables-save.txt-[12] netns-iptables-save.txt-2::neutron-fwaas-l3-fwaas-defau - [0:0] netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j neutron-fwaas-l3-fwaas-defau netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j neutron-fwaas-l3-fwaas-defau netns-iptables-save.txt-2:-A neutron-fwaas-l3-fwaas-defau -j DROP ----- s n i p ----- And these are the rules I was after: ----- s n i p ----- bladeA01:~# grep neutron-fwaas-l3-iv432704c9f netns-iptables-save.txt-[12] netns-iptables-save.txt-2::neutron-fwaas-l3-iv432704c9f - [0:0] netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j neutron-fwaas-l3-iv432704c9f netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state INVALID -j DROP netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state RELATED,ESTABLISHED -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 80 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 443 -j ACCEPT bladeA01:~# grep neutron-fwaas-l3-ov432704c9f netns-iptables-save.txt-[12] netns-iptables-save.txt-2::neutron-fwaas-l3-ov432704c9f - [0:0] netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j neutron-fwaas-l3-ov432704c9f netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state INVALID -j DROP netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state RELATED,ESTABLISHED -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 80 -j ACCEPT netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 443 -j ACCEPT ----- s n i p ----- See the following for the full saves: http://bayour.com/misc/iptables-save-1.txt http://bayour.com/misc/iptables-save-2.txt I'm not sure if this is a bug or a 'expected behavior', but I had kind'a expected that when I ticked/set 'shared=false' that it wouldn't "mess" with my other networks.. This because my other networks instances is 'protected' by security groups, not the firewall.. -- If something's hard to do, then it's not worth doing. - Homer Simpson _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
