Submitter: Zuul
Branch:    master

commit 66d4431f990b2da0d3b42493a499ab67e9a0020a
Author: Nguyen Phuong An <>
Date:   Wed Jan 31 14:54:53 2018 +0700

    Remove disable option for default FWG and allow only on VM ports
    Currently, auto associate default FWG works only one time and the logic
    is broken if the new port is a DHCP port or router port. This patch
    fixes the problem by validating if a port is a VM port or not,
    ignores port binding failed or unbound and also adds trusted port
    handling. In addition, for security perspective,
    'auto_associate_default_firewall_group' CfgOpt is no longer used.
    Automatic association with default firewall group with VM port
    works by default.
    Closes-Bug: #1746404
    Co-Authored-By: Yushiro FURUKAWA<>
    Co-Authored-By: Chandan Dutta Chowdhury<>
    Change-Id: Ib567c0e0333335a99b851162d87f17f1a8ceb2dd

** Changed in: neutron
       Status: In Progress => Fix Released

You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.

  'auto_associate_default_firewall_group'  got an error when new port is

Status in neutron:
  Fix Released

Bug description:
  If we create new port(binded somewhere) with following condition, an
  Error occurred.

  Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: DEBUG 
neutron_fwaas.db.firewall.v2.firewall_db_v2 [None 
req-f3c0994c-1547-410a-8bf8-b4b459e0dfba None None] get_firewall_group() called 
  pid=25213) get_firewall_group 
  Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: ERROR 
neutron_lib.callbacks.manager [None req-f3c0994c-1547-410a-8bf8-b4b459e0dfba 
None None] Error during notification for neutron_fwaas.s
 port, after_create: PortNotFound: Port c could not be found.

  It was due to as follows:

  1. Validation is missing that created port is for VM or not
  2. It should be a list of port ID, but string of ID of port

  [How to reproduce]
  1. Deploy devstack with the latest with q-fwaas-v2
  2. Configure following settings
        auto_associate_default_firewall_group = True
  3. Restart q-svc
  4. Run following command

      $ neutron net-create test
      $ neutron subnet-create test

  Then, DHCP port will be created and an error occurred on q-svc.  You
  can see

      $ sudo journalctl -f -u devstack@q-svc.service

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to