[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FWAAS V2 doesn't work with DVR

Hi Brian,

Thanks for your reply.
We are using Queens release. FWAAS_v2 for sure doesn't work with DVR but
without dvr it's all fine. I think the way dvr does the routing east-west
(across two internal subnets) would never be able to work with iptables,
because it's too complex to handle it. Probably that's why community is
moving towards ovs rules. However, I made a few changes in the code to make
the north-south firewall workable, will push a code change sometime soon
after cleanup.


On Tue, Aug 27, 2019 at 10:00 PM Brian Haley <haleyb.dev at gmail.com> wrote:

> Hi Salman,
> On 8/21/19 2:49 PM, Salman Khan wrote:
> > Hi Guys,
> >
> > I asked this question over #openstack-neutron channel but didn't get any
> > answer, so asking here in a hope that someone might read this email and
> > reply.
> > The problem is: I have enabled FWAAS_V2 with DVR and that doesn't seem
> > to work. I debugged things down to router namespaces and it looks like
> > iptables rules are applied to rfp-<network-id> interface which doesn't
> > exist in that namespace. So rules are completely wrong as they are
> > applied to an interface that doesn't exist, I mean there is rfp-*
> > interface but the <network-id> that fwaas expecting is not what it
> > should be. I tried applying the rules to qr-* interfaces in the
> > namespace but that didn't work as well, packets are dropping on
> > "invalid" state rule. That's probably because of nat rules from dvr.
> > Can someone please help me to understand this behaviour. Is it really
> > suppose to work or not. If there is any bug or fix pending or there is
> > any work ongoing to support this.
> Can you tell what version of neutron/neutron-fwaas you are using?
> Short of that I believe it should work, the only bug I found that seems
> related and was fixed recently (end of 2018) was
> https://bugs.launchpad.net/neutron/+bug/1762454 so maybe take a look at
> that and see if is the same thing.
> Otherwise maybe someone on the Fwaas team has seen it?
> -Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190828/db5b3335/attachment.html>