Reviewed: https://review.openstack.org/539461 Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=66d4431f990b2da0d3b42493a499ab67e9a0020a Submitter: Zuul Branch: master
commit 66d4431f990b2da0d3b42493a499ab67e9a0020a Author: Nguyen Phuong An <a...@vn.fujitsu.com> Date: Wed Jan 31 14:54:53 2018 +0700 Remove disable option for default FWG and allow only on VM ports Currently, auto associate default FWG works only one time and the logic is broken if the new port is a DHCP port or router port. This patch fixes the problem by validating if a port is a VM port or not, ignores port binding failed or unbound and also adds trusted port handling. In addition, for security perspective, 'auto_associate_default_firewall_group' CfgOpt is no longer used. Automatic association with default firewall group with VM port works by default. Closes-Bug: #1746404 Co-Authored-By: Yushiro FURUKAWA<y.furukaw...@jp.fujitsu.com> Co-Authored-By: Chandan Dutta Chowdhury<chand...@juniper.net> Change-Id: Ib567c0e0333335a99b851162d87f17f1a8ceb2dd ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1746404 Title: 'auto_associate_default_firewall_group' got an error when new port is created Status in neutron: Fix Released Bug description: If we create new port(binded somewhere) with following condition, an Error occurred. Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: DEBUG neutron_fwaas.db.firewall.v2.firewall_db_v2 [None req-f3c0994c-1547-410a-8bf8-b4b459e0dfba None None] get_firewall_group() called {{( pid=25213) get_firewall_group /opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/v2/firewall_db_v2.py:1080}} Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: ERROR neutron_lib.callbacks.manager [None req-f3c0994c-1547-410a-8bf8-b4b459e0dfba None None] Error during notification for neutron_fwaas.s ervices.firewall.fwaas_plugin_v2.FirewallPluginV2.handle_create_port_event--9223372036854763926 port, after_create: PortNotFound: Port c could not be found. It was due to as follows: 1. Validation is missing that created port is for VM or not 2. It should be a list of port ID, but string of ID of port [How to reproduce] 1. Deploy devstack with the latest with q-fwaas-v2 2. Configure following settings (/etc/neutron/neutron_fwaas.conf) [fwaas] auto_associate_default_firewall_group = True 3. Restart q-svc 4. Run following command $ neutron net-create test $ neutron subnet-create test 11.11.11.0/24 Then, DHCP port will be created and an error occurred on q-svc. You can see $ sudo journalctl -f -u devstack@q-svc.service To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1746404/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp