[Expired for neutron because there has been no activity for 60 days.]
** Changed in: neutron
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1799885
Title:
[FWaaS]Firewall rule for fip's DNAT traffic, destination address
should be this fip
Status in neutron:
Expired
Bug description:
Bug description:
When we write a firewall group rule which limit fip's DNAT traffic, for
example we want to accept the traffic into a VM binding a fip, the rule's
destination address should be VM's intranet IP address (not fip IP address)
currently.
However if we associate this fip to other VM, the before firewall group rule
will be wrong because we just want to restrict the traffic into this fip. We
have to change the firewall group rule's destination address to another VM 's
intranet IP.
So everytime we change fip association, we should change firewall group
rule's destination address.
Analysis:
Iptables process DNAT on PREROUTING chain in nat table, which process before
FORWARD chain in filter table.
So if we write a firewall rule to limit fip's DNAT traffic , the destination
address must be a intranet IP.
Essentially, if we want to write a firewall group rule to limit a IP's the
DNAT traffic, we can only limit a intranet IP address, not a fip's IP address.
Scenario:
We want to access the traffic to a fip's (166.166.166.5) 80 port:
1.Associate a fip 166.166.166.5 on a VM(intranet IP:192.168.1.10)
2.create a firewall group, policy and rule
3.associate the fwg to router(0cbd237f-358a-4c27-8047-c50e1f7201e7)
[root@vm ~]# openstack firewall group rule show
055af78e-ef12-4225-8236-8ef703026aad
+------------------------+-------------------------------------------+
| Field | Value |
+------------------------+-------------------------------------------+
| Action | allow |
| Description | |
| Destination IP Address | 192.168.1.10 |
| Destination Port | 80 |
| Enabled | True |
| ID | 055af78e-ef12-4225-8236-8ef703026aad |
| IP Version | 4 |
| Name | in-192.168.1.10-80-allow |
| Project | 9355437b66f64e8999e30978a7b3c33c |
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | [u'3996f090-8e8d-48c5-a3de-4ba2c88ff935'] |
| project_id | 9355437b66f64e8999e30978a7b3c33c |
+------------------------+-------------------------------------------+
#3996f090-8e8d-48c5-a3de-4ba2c88ff935 is ingress policy
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables
-S
-A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80
-j ACCEPT
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables
-t nat -S
-A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination
192.168.1.10
4.Associate the fip 166.166.166.5 to another VM(intranet
IP:192.168.1.11)
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables
-S
-A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80
-j ACCEPT
[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables
-t nat -S
-A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination
192.168.1.11
5.This firewall rule lose efficacy
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1799885/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
