Public bug reported: Bug description: the scenario:security group is enabled and its firewall_driver = openvswitch, fwaas is enabled and its firewall_l2_driver = noop(default). If I create a new vm, default FWG will be bound on this vm's port automatically. However, firewall_l2_driver = noop and I don't want to use fwaas in L2. This bug is caused by the judgment in _is_supported_by_fw_l2_driver method.
My environment is below: [root@vm neutron]# cat plugins/ml2/openvswitch_agent.ini [securitygroup] firewall_driver = openvswitch enable_security_group = true [root@vm neutron]# cat l3_agent.ini [DEFAULT] verbose = true interface_driver = openvswitch agent_mode = dvr_snat [agent] extensions = fwaas_v2 [fwaas] agent_version = v2 driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver enabled = True Steps: Create a new vm(port id: e822d587-5a4d-4124-9c31-a113d773cea8) Then default firewall group was bound on vm's port automatically: [root@vm neutron]# openstack firewall group show 7a5265b4-e69b-4633-af34-2224a10c1e90 +-------------------+-------------------------------------------+ | Field | Value | +-------------------+-------------------------------------------+ | Description | Default firewall group | | Egress Policy ID | 1747c29b-0a7c-4bda-b362-8e9870a96724 | | ID | 7a5265b4-e69b-4633-af34-2224a10c1e90 | | Ingress Policy ID | 5d3cfbff-7c84-4c55-85b4-170cdbc09c35 | | Name | default | | Ports | [u'e822d587-5a4d-4124-9c31-a113d773cea8'] | | Project | 9355437b66f64e8999e30978a7b3c33c | | Shared | False | | State | UP | | Status | ACTIVE | | project_id | 9355437b66f64e8999e30978a7b3c33c | +-------------------+-------------------------------------------+ Here is every scenario of security group and fwaas: |ID|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver| |:-|:------------------|:---------------|:-----------------------------| |1 |noop | openvswitch | True | |2 |noop | others(*1) | False| |3 |openvswitch | openvswitch | False | |4 |openvswitch | others | True| The correct is as follows: |firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver| |:------------------|:---------------|:-----------------------------| |noop | openvswitch | False| |noop | others(*1) | False| |openvswitch | openvswitch | False | |openvswitch | others | True | ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1798713 Title: [fwaas]wrong judgment in _is_supported_by_fw_l2_driver method Status in neutron: New Bug description: Bug description: the scenario:security group is enabled and its firewall_driver = openvswitch, fwaas is enabled and its firewall_l2_driver = noop(default). If I create a new vm, default FWG will be bound on this vm's port automatically. However, firewall_l2_driver = noop and I don't want to use fwaas in L2. This bug is caused by the judgment in _is_supported_by_fw_l2_driver method. My environment is below: [root@vm neutron]# cat plugins/ml2/openvswitch_agent.ini [securitygroup] firewall_driver = openvswitch enable_security_group = true [root@vm neutron]# cat l3_agent.ini [DEFAULT] verbose = true interface_driver = openvswitch agent_mode = dvr_snat [agent] extensions = fwaas_v2 [fwaas] agent_version = v2 driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver enabled = True Steps: Create a new vm(port id: e822d587-5a4d-4124-9c31-a113d773cea8) Then default firewall group was bound on vm's port automatically: [root@vm neutron]# openstack firewall group show 7a5265b4-e69b-4633-af34-2224a10c1e90 +-------------------+-------------------------------------------+ | Field | Value | +-------------------+-------------------------------------------+ | Description | Default firewall group | | Egress Policy ID | 1747c29b-0a7c-4bda-b362-8e9870a96724 | | ID | 7a5265b4-e69b-4633-af34-2224a10c1e90 | | Ingress Policy ID | 5d3cfbff-7c84-4c55-85b4-170cdbc09c35 | | Name | default | | Ports | [u'e822d587-5a4d-4124-9c31-a113d773cea8'] | | Project | 9355437b66f64e8999e30978a7b3c33c | | Shared | False | | State | UP | | Status | ACTIVE | | project_id | 9355437b66f64e8999e30978a7b3c33c | +-------------------+-------------------------------------------+ Here is every scenario of security group and fwaas: |ID|firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver| |:-|:------------------|:---------------|:-----------------------------| |1 |noop | openvswitch | True | |2 |noop | others(*1) | False| |3 |openvswitch | openvswitch | False | |4 |openvswitch | others | True| The correct is as follows: |firewall_l2_driver | security_group | _is_supported_by_fw_l2_driver| |:------------------|:---------------|:-----------------------------| |noop | openvswitch | False| |noop | others(*1) | False| |openvswitch | openvswitch | False | |openvswitch | others | True | To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1798713/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp