** Changed in: neutron
Status: Fix Committed => Fix Released
** Changed in: neutron
Milestone: None => liberty-1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1447435
Title:
FWaaS - Missing port-range validation for firewall-rule
Status in OpenStack Neutron (virtual network service):
Fix Released
Bug description:
When we create/update firewall-rule, a part of port_range validation
doesn't exist.
[Problem]
When we create firewall with firewall-policy which is including following
firewall-rules, the firewall has created.
But the status is still "PENDING_CREATE" and error is logged in
l3-agent.log while inserting firewall-rules into iptables.
(Please see 'Error in l3-agent.log')
[req_body when create firewall-rule]
** The POINT is reversing "min_port" and "max_port" of
"source_port" or "destination_port" **
{
"firewall_rule":
{
"name": "my_rule",
"action": "deny",
"protocol": "tcp",
"source_port": "20000:100"
}
}
Normal case:
source_port: "100:20000"
=> It means the port number from 100(min_port) to 20000(max_port)
Illegal case:
source_port: "20000:100"
=> min_port is bigger than max_port. Then,
[Error in l3-agent.log]
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1
None]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip',
'netns', 'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00',
'iptables-restore', '-c']
Exit code: 2
Stdout: ''
Stderr: "iptables-restore v1.4.21: invalid portrange (min > max)\nError
occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help'
for more information.\n"
ERROR neutron.agent.linux.iptables_manager
[req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] IPTablesManager.apply failed to
apply the following set of iptables rules:
1. # Generated by iptables-save v1.4.21 on Thu Apr 23 12:08:55 2015
...(abbr)...
35. [0:0] -A neutron-l3-agent-iv4edfbec43 -p tcp --sport 20000:100 -j
DROP
36. [0:0] -A neutron-l3-agent-ov4edfbec43 -p tcp --sport 20000:100 -j
DROP
...(abbr)...
68. :INPUT ACCEPT [0:0]
ERROR neutron.services.firewall.drivers.linux.iptables_fwaas
[req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Failed to create firewall:
edfbec43-870e-43cb-80ed-0c4bb162fe18
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Traceback (most
recent call last):
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py",
line 56, in create_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
self._setup_firewall(agent_mode, apply_list, firewall)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py",
line 164, in _setup_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
ipt_mgr.defer_apply_off()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py",
line 373, in defer_apply_off
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas self._apply()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py",
line 389, in _apply
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas return
self._apply_synchronized()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py",
line 444, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
'\n'.join(log_lines))
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/openstack/common/excutils.py", line
82, in __exit__
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
six.reraise(self.type_, self.value, self.tb)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py",
line 423, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
root_helper=self.root_helper)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File
"/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 84, in
execute
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas raise
RuntimeError(m)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas RuntimeError:
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Command:
['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns',
'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00', 'iptables-restore',
'-c']
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Exit code: 2
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stdout: ''
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stderr:
"iptables-restore v1.4.21: invalid portrange (min > max)\nError occurred at
line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more
information.\n"
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
ERROR neutron.services.firewall.agents.l3reference.firewall_l3_agent
[req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Firewall Driver Error for
create_firewall for fw: edfbec43-870e-43cb-80ed-0c4bb162fe18
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1
None]
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1447435/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
