Public bug reported: Hi all: when restart the vpn and l3 agent, the firewall rule apply to all tenants' router. step: 1. Create network and router in A and B tenant. 2. Create a firewall in A tenant. 3. Restart vpn and l3 agent serivce. 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn
Then I find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD. So I debug the code,and add some code in neutron/services/firewall/agents/l3reference/firewall_l3_agent.py : def _process_router_add(self, ri): """On router add, get fw with rules from plugin and update driver.""" LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id']) routers = [] routers.append(ri.router) router_info_list = self._get_router_info_list_for_tenant( routers, ri.router['tenant_id']) if router_info_list: # Get the firewall with rules # for the tenant the router is on. ctx = context.Context('', ri.router['tenant_id']) fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx) LOG.debug(_("Process router add, fw_list: '%s'"), [fw['id'] for fw in fw_list]) for fw in fw_list: +++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']: self._invoke_driver_for_sync_from_plugin( ctx, router_info_list, fw) My neutron version is icehouse. ** Affects: neutron Importance: Undecided Status: New ** Description changed: Hi all: - when restart the vpn and l3 agent, the firewall rule apply to all tenants' router. - step: - 1. Create network and router in A and B tenant. - 2. Create a firewall in A tenant. - 3. Restart vpn and l3 agent serivce. - 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn - Then i find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD. + when restart the vpn and l3 agent, the firewall rule apply to all tenants' router. + step: + 1. Create network and router in A and B tenant. + 2. Create a firewall in A tenant. + 3. Restart vpn and l3 agent serivce. + 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn Then I find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD. - so I debug the code,and add some code in neutron/services/firewall/agents/l3reference/firewall_l3_agent.py : - - def _process_router_add(self, ri): - """On router add, get fw with rules from plugin and update driver.""" - LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id']) - routers = [] - routers.append(ri.router) - router_info_list = self._get_router_info_list_for_tenant( - routers, - ri.router['tenant_id']) - if router_info_list: - # Get the firewall with rules - # for the tenant the router is on. - ctx = context.Context('', ri.router['tenant_id']) - fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx) - LOG.debug(_("Process router add, fw_list: '%s'"), - [fw['id'] for fw in fw_list]) - for fw in fw_list: - +++++++if fw['tenant_id'] == ri.router['tenant_id']: - self._invoke_driver_for_sync_from_plugin( - ctx, - router_info_list, - fw) + so I debug the code,and add some code in + neutron/services/firewall/agents/l3reference/firewall_l3_agent.py : + + def _process_router_add(self, ri): + """On router add, get fw with rules from plugin and update driver.""" + LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id']) + routers = [] + routers.append(ri.router) + router_info_list = self._get_router_info_list_for_tenant( + routers, + ri.router['tenant_id']) + if router_info_list: + # Get the firewall with rules + # for the tenant the router is on. + ctx = context.Context('', ri.router['tenant_id']) + fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx) + LOG.debug(_("Process router add, fw_list: '%s'"), + [fw['id'] for fw in fw_list]) + for fw in fw_list: + +++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']: + self._invoke_driver_for_sync_from_plugin( + ctx, + router_info_list, + fw) + + My neutron version is icehouse. ** Description changed: Hi all: when restart the vpn and l3 agent, the firewall rule apply to all tenants' router. step: 1. Create network and router in A and B tenant. 2. Create a firewall in A tenant. 3. Restart vpn and l3 agent serivce. - 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn Then I find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD. + 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn - so I debug the code,and add some code in + Then I find the firewall rule in chain neutron-l3-agent-FORWARD and + neutron-vpn-agen-FORWARD. + + So I debug the code,and add some code in neutron/services/firewall/agents/l3reference/firewall_l3_agent.py : def _process_router_add(self, ri): """On router add, get fw with rules from plugin and update driver.""" LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id']) routers = [] routers.append(ri.router) router_info_list = self._get_router_info_list_for_tenant( routers, ri.router['tenant_id']) if router_info_list: # Get the firewall with rules # for the tenant the router is on. ctx = context.Context('', ri.router['tenant_id']) fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx) LOG.debug(_("Process router add, fw_list: '%s'"), [fw['id'] for fw in fw_list]) for fw in fw_list: +++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']: self._invoke_driver_for_sync_from_plugin( ctx, router_info_list, fw) My neutron version is icehouse. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1398267 Title: when restart the vpn and l3 agent, the firewall rule apply to all tenants' router. Status in OpenStack Neutron (virtual network service): New Bug description: Hi all: when restart the vpn and l3 agent, the firewall rule apply to all tenants' router. step: 1. Create network and router in A and B tenant. 2. Create a firewall in A tenant. 3. Restart vpn and l3 agent serivce. 4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn Then I find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD. So I debug the code,and add some code in neutron/services/firewall/agents/l3reference/firewall_l3_agent.py : def _process_router_add(self, ri): """On router add, get fw with rules from plugin and update driver.""" LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id']) routers = [] routers.append(ri.router) router_info_list = self._get_router_info_list_for_tenant( routers, ri.router['tenant_id']) if router_info_list: # Get the firewall with rules # for the tenant the router is on. ctx = context.Context('', ri.router['tenant_id']) fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx) LOG.debug(_("Process router add, fw_list: '%s'"), [fw['id'] for fw in fw_list]) for fw in fw_list: +++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']: self._invoke_driver_for_sync_from_plugin( ctx, router_info_list, fw) My neutron version is icehouse. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1398267/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp