[Openstack] Creating a FWaaS 'destroy's the router

Sat, 13 Aug 2016 05:19:26 -0700 

I have one provider/physical network, one router and several
tenant networks (with one subnet each).

Creating instances on all of these subnets works just fine. I
can access them and they can access 'the world'.


But as soon as I create a new tenant network, a subnet on that
and then a firewall (with rules and a policy) for that network,
ALL routing (?) stops on the other networks and subnets.


Comparing the iptables rules before and after, I see that it's
adding the following rules ('-1' is before and '-2' is after):

----- s n i p -----
bladeA01:~# grep neutron-fwaas-l3-fwaas-defau netns-iptables-save.txt-[12]
netns-iptables-save.txt-2::neutron-fwaas-l3-fwaas-defau - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j 
neutron-fwaas-l3-fwaas-defau
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j 
neutron-fwaas-l3-fwaas-defau
netns-iptables-save.txt-2:-A neutron-fwaas-l3-fwaas-defau -j DROP
----- s n i p -----

And these are the rules I was after:

----- s n i p -----
bladeA01:~# grep neutron-fwaas-l3-iv432704c9f netns-iptables-save.txt-[12]
netns-iptables-save.txt-2::neutron-fwaas-l3-iv432704c9f - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -o qr-+ -j 
neutron-fwaas-l3-iv432704c9f
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state 
INVALID -j DROP
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -m state --state 
RELATED,ESTABLISHED -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p 
tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -p 
udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 
10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.0.0.0/8 -d 
10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 
10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -s 10.103.0.0/24 -d 
10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 
80 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-iv432704c9f -p tcp -m tcp --dport 
443 -j ACCEPT
bladeA01:~# grep neutron-fwaas-l3-ov432704c9f netns-iptables-save.txt-[12] 
netns-iptables-save.txt-2::neutron-fwaas-l3-ov432704c9f - [0:0]
netns-iptables-save.txt-2:-A neutron-fwaas-l3-FORWARD -i qr-+ -j 
neutron-fwaas-l3-ov432704c9f
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state 
INVALID -j DROP
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -m state --state 
RELATED,ESTABLISHED -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p 
tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -p 
udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 
10.103.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.0.0.0/8 -d 
10.103.0.0/24 -p udp -m udp --dport 22 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 
10.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -s 10.103.0.0/24 -d 
10.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 
80 -j ACCEPT
netns-iptables-save.txt-2:-A neutron-fwaas-l3-ov432704c9f -p tcp -m tcp --dport 
443 -j ACCEPT
----- s n i p -----

See the following for the full saves:

  http://bayour.com/misc/iptables-save-1.txt
  http://bayour.com/misc/iptables-save-2.txt


I'm not sure if this is a bug or a 'expected behavior', but I had kind'a
expected that when I ticked/set 'shared=false' that it wouldn't "mess"
with my other networks..

This because my other networks instances is 'protected' by security
groups, not the firewall..
--
If something's hard to do, then it's not worth doing.
- Homer Simpson


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to