Public bug reported: Source/Destination IPs are not respected in firewall group rules FWaaS
I'm trying to configure and use FWaaS v2. My simple use case is to
configure a default FW in a project, which will forbid requests from
specific IPs. And it looks like source/destination IPs are not
respected, other fields seem to be working.
My Environment: OpenStack 2024.1, kolla-ansible, OVS with DVR,
rockylinux 5.14.0, KVM
Configuration
L3 Agent
fwaas_driver.ini
[fwaas]
enabled = True
agent_version = v2
driver = iptables_v2
[service_providers]
service_provider =
FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
l3_agent.ini
...
[agent]
extensions = fwaas_v2,vpnaas
...
OpenVSwitch Agent
openvswitch_agent.ini
[agent]
tunnel_types = vxlan
l2_population = true
arp_responder = true
enable_distributed_routing = True
extensions = fwaas_v2
[securitygroup]
firewall_driver = openvswitch
[fwaas]
enabled = True
firewall_l2_driver = ovs
How to reproduce:
After FWaaS was activated
In a project check that tehere is a default firewall installed
openstack firewall group list --long
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| ID | Name | Ingress Policy ID
| Egress Policy ID |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| 176d6b64-ab11-4d01-a65b-fe64ef42517c | default |
f3592619-e8dc-4d38-9235-b84eec07f266 | e7259e7c-df47-49fa-8e6e-5b0705c2749d |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
openstack firewall group show default
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description | Default firewall group
|
| Egress Policy ID | e7259e7c-df47-49fa-8e6e-5b0705c2749d
|
| ID | 176d6b64-ab11-4d01-a65b-fe64ef42517c
|
| Ingress Policy ID | f3592619-e8dc-4d38-9235-b84eec07f266
|
| Name | default
|
| Ports | ['20b5fc16-ee0d-4645-98bf-01ee59e8e2a2',
'270300c8-0a30-4b5b-859a-d1a5d7b94fa3', 'a926677b-ccd8-4e30-ab09-3d4dbef97cd1',
'b347d215-2b82-4de8-aa8e-420114668d4e'] |
| Project | 7efc953644d04c968ec883a1337930d2
|
| Shared | False
|
| State | UP
|
| Status | ACTIVE
|
| created_at | 2025-08-19T14:05:22Z
|
| revision_number | 254
|
| tags | []
|
| updated_at | 2025-08-28T06:15:00Z
|
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Check default Ingress Policy
openstack firewall group policy show "default ingress"
+-----------------+----------------------------------------------------------------------------------+
| Field | Value
|
+-----------------+----------------------------------------------------------------------------------+
| Audited | False
|
| Description | Ingress firewall policy
|
| Firewall Rules | ['88354c14-12a3-43a9-a095-7a5115c6841d',
'fad35b29-6752-4955-b62e-739062378f5f'] |
| ID | f3592619-e8dc-4d38-9235-b84eec07f266
|
| Name | default ingress
|
| Project | 7efc953644d04c968ec883a1337930d2
|
| Shared | False
|
| created_at | 2025-08-19T14:05:22Z
|
| revision_number | 0
|
| tags | []
|
| updated_at | 2025-08-25T07:41:00Z
|
+-----------------+----------------------------------------------------------------------------------+
Check The rule of the default Ingress Policy, ingress traffic should be set to
"deny"
MY_DEFTAUL_IPV4_RULE_ID=$(openstack firewall group policy show "default
ingress" -c "Firewall Rules" -fjson | jq -Mr '.["Firewall Rules"][0]')
openstack firewall group rule show $MY_DEFTAUL_IPV4_RULE_ID
+-------------------------------+------------------------------------------+
| Field | Value |
+-------------------------------+------------------------------------------+
| Action | deny |
| Description | default ingress rule for IPv4 |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| Firewall Policy | ['f3592619-e8dc-4d38-9235-b84eec07f266'] |
| ID | 88354c14-12a3-43a9-a095-7a5115c6841d |
| IP Version | 4 |
| Name | default ingress ipv4 |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | any |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 4 |
| tags | [] |
| updated_at | 2025-08-28T08:56:50Z |
+-------------------------------+------------------------------------------+
Create a new server
openstack server create --image ubuntu-24.04 --flavor m1.medium --key-name
mykey --network 01_demo_k8s-vlan-net fwaastest01
openstack server show fwaastest01
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-SRV-ATTR:host | None
|
| OS-EXT-SRV-ATTR:hostname | fwaastest01
|
| OS-EXT-SRV-ATTR:hypervisor_hostname | None
|
| OS-EXT-SRV-ATTR:instance_name | None
|
| OS-EXT-SRV-ATTR:kernel_id | None
|
| OS-EXT-SRV-ATTR:launch_index | None
|
| OS-EXT-SRV-ATTR:ramdisk_id | None
|
| OS-EXT-SRV-ATTR:reservation_id | None
|
| OS-EXT-SRV-ATTR:root_device_name | None
|
| OS-EXT-SRV-ATTR:user_data | None
|
| OS-EXT-STS:power_state | Running
|
| OS-EXT-STS:task_state | None
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2025-08-28T08:37:06.000000
|
| OS-SRV-USG:terminated_at | None
|
| accessIPv4 |
|
| accessIPv6 |
|
| addresses | 01_demo_k8s-vlan-net=10.10.21.42
|
| config_drive |
|
| created | 2025-08-28T08:36:47Z
|
| description | None
|
| flavor | description=, disk='40', ephemeral='0',
, id='m1.medium', is_disabled=, is_public='True', location=, name='m1.medium',
original_name='m1.medium', ram='4096', rxtx_factor=, swap='0', vcpus='2' |
| hostId |
016287359e32f6b692430b0fbb1e4d91ce0f5a452653c54312dcba82
|
| host_status | None
|
| id | 2950669e-cb09-4307-8675-61930bb0f12f
|
| image | ubuntu-24.04
(cf46b0d8-e0e2-4a3d-a233-e2157fa97298)
|
| key_name | mykey
|
| locked | False
|
| locked_reason | None
|
| name | fwaastest01
|
| pinned_availability_zone | None
|
| progress | 0
|
| project_id | 7efc953644d04c968ec883a1337930d2
|
| properties |
|
| security_groups | name='default'
|
| server_groups | None
|
| status | ACTIVE
|
| tags |
|
| trusted_image_certificates | None
|
| updated | 2025-08-28T08:37:06Z
|
| user_id | 0906ccc8fabe4341b7f4bde4a795f0fd
|
| volumes_attached |
|
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
openstack port list --server fwaastest01
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP
Addresses | Status |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| 882e8994-3f0f-4664-bbf6-92165cdb72c5 | | fa:16:3e:36:34:3a |
ip_address='10.10.21.42', subnet_id='516acec3-f099-4904-b827-d6d1a11a58cc' |
ACTIVE |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
Check the server port is added to default firewall group
openstack firewall group show default -fjson | jq '.["Ports"]'
[
"20b5fc16-ee0d-4645-98bf-01ee59e8e2a2",
"270300c8-0a30-4b5b-859a-d1a5d7b94fa3",
"882e8994-3f0f-4664-bbf6-92165cdb72c5",
"a926677b-ccd8-4e30-ab09-3d4dbef97cd1",
"b347d215-2b82-4de8-aa8e-420114668d4e"
]
Check one of the listed ports belongs to the router
openstack port show 270300c8-0a30-4b5b-859a-d1a5d7b94fa3
+-------------------------+---------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------+---------------------------------------------------------------------------------------+
| admin_state_up | UP
|
| allowed_address_pairs |
|
| binding_host_id | None
|
| binding_profile | None
|
| binding_vif_details | None
|
| binding_vif_type | None
|
| binding_vnic_type | normal
|
| created_at | 2025-04-22T08:20:18Z
|
| data_plane_status | None
|
| description |
|
| device_id | 1a41e860-eb39-490e-8b75-cfc2803f4708
|
| device_owner | network:router_interface_distributed
|
| device_profile | None
|
| dns_assignment | fqdn='host-10-0-0-1.openstacklocal.',
hostname='host-10-0-0-1', ip_address='10.0.0.1' |
| dns_domain |
|
| dns_name |
|
| extra_dhcp_opts |
|
| fixed_ips | ip_address='10.0.0.1',
subnet_id='b4e950f6-949a-40bb-8c65-9f61970cb71e' |
| hardware_offload_type | None
|
| hints |
|
| id | 270300c8-0a30-4b5b-859a-d1a5d7b94fa3
|
| ip_allocation | None
|
| mac_address | fa:16:3e:ee:ea:63
|
| name |
|
| network_id | 0ae5f5b4-9dc9-4ab9-ad06-77d96b08ca76
|
| numa_affinity_policy | None
|
| port_security_enabled | False
|
| project_id | 7efc953644d04c968ec883a1337930d2
|
| propagate_uplink_status | None
|
| resource_request | None
|
| revision_number | 1083
|
| qos_network_policy_id | None
|
| qos_policy_id | None
|
| security_group_ids |
|
| status | ACTIVE
|
| tags |
|
| trunk_details | None
|
| trusted | None
|
| updated_at | 2025-08-28T08:27:17Z
|
+-------------------------+---------------------------------------------------------------------------------------+
Create and assign a floating ip to the server
openstack floating ip create shared0 -c name
+-------+--------------+
| Field | Value |
+-------+--------------+
| name | 10.30.10.84 |
+-------+--------------+
openstack server add floating ip fwaastest01 10.30.10.84
openstack server show fwaastest01 -c name -c addresses
+-----------+-----------------------------------------------+
| Field | Value |
+-----------+-----------------------------------------------+
| addresses | 01_demo_k8s-vlan-net=10.10.21.42, 10.30.10.84 |
| name | fwaastest01 |
+-----------+-----------------------------------------------+
Try to access via ssh, should not work (default ingress policy)
ssh [email protected] -v
...
Create a new rule, which allows traffic to port 22 and add it to the default
ingress policy
openstack firewall group rule create --name allow-ssh --protocol tcp
--destination-port 22 --action allow
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Action | allow |
| Description | |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | 22 |
| Enabled | True |
| Firewall Policy | None |
| ID | 39737b54-485b-4ec7-93bd-08091d4e96f2 |
| IP Version | 4 |
| Name | allow-ssh |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | tcp |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-28T08:58:33Z |
| revision_number | 0 |
| tags | [] |
| updated_at | 2025-08-28T08:58:33Z |
+-------------------------------+--------------------------------------+
openstack firewall group policy add rule "default ingress" allow-ssh
Inserted firewall rule 39737b54-485b-4ec7-93bd-08091d4e96f2 in firewall policy
default ingress
openstack firewall group policy show "default ingress"
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Audited | False
|
| Description | Ingress firewall policy
|
| Firewall Rules | ['39737b54-485b-4ec7-93bd-08091d4e96f2',
'88354c14-12a3-43a9-a095-7a5115c6841d', 'fad35b29-6752-4955-b62e-739062378f5f']
|
| ID | f3592619-e8dc-4d38-9235-b84eec07f266
|
| Name | default ingress
|
| Project | 7efc953644d04c968ec883a1337930d2
|
| Shared | False
|
| created_at | 2025-08-19T14:05:22Z
|
| revision_number | 1
|
| tags | []
|
| updated_at | 2025-08-28T08:59:36Z
|
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
Try to access via ssh, now it should work (port 22 allowed)
ssh [email protected] -v
...
Set the Source IP address in the rule, to allow traffic only from a specific IP
openstack firewall group rule set --source-ip-address 10.30.10.77 allow-ssh
Try to connect from the source ip to the server via ssh, it should still work
ssh [email protected] -v
Set the Source IP address in the rule, to allow traffic only from one another IP
openstack firewall group rule set --source-ip-address 10.30.10.100 allow-ssh
Try to connect from the source ip to the server via ssh, it should not work,
but it does
ssh [email protected] -v
Check incomming traffic on the target host
root@fwaastest01:~# tcpdump -nve -i ens3 port 22 and host 10.30.10.77
tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144
bytes
09:17:23.674025 fa:16:3e:8b:c7:b8 > fa:16:3e:36:34:3a, ethertype IPv4 (0x0800),
length 74: (tos 0x0, ttl 60, id 5237, offset 0, flags [DF], proto TCP (6),
length 60)
10.30.10.77.47115 > 10.10.21.42.22: Flags [S], cksum 0xc08f (correct), seq
1696342916, win 64860, options [mss 1410,sackOK,TS val 2199360205 ecr
0,nop,wscale 7], length 0
Expectation: if we connect from the IP, we set in the FW Rule, it should
work. Connection from any other IP should not work
Reality: It's possible to connect from any IP, the source ip address is
not respected.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2121582
Title:
Source / Destination IP address is not respected in firewall group
rule FWaaS v2
Status in neutron:
New
Bug description:
Source/Destination IPs are not respected in firewall group rules FWaaS
I'm trying to configure and use FWaaS v2. My simple use case is to
configure a default FW in a project, which will forbid requests from
specific IPs. And it looks like source/destination IPs are not
respected, other fields seem to be working.
My Environment: OpenStack 2024.1, kolla-ansible, OVS with DVR,
rockylinux 5.14.0, KVM
Configuration
L3 Agent
fwaas_driver.ini
[fwaas]
enabled = True
agent_version = v2
driver = iptables_v2
[service_providers]
service_provider =
FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
l3_agent.ini
...
[agent]
extensions = fwaas_v2,vpnaas
...
OpenVSwitch Agent
openvswitch_agent.ini
[agent]
tunnel_types = vxlan
l2_population = true
arp_responder = true
enable_distributed_routing = True
extensions = fwaas_v2
[securitygroup]
firewall_driver = openvswitch
[fwaas]
enabled = True
firewall_l2_driver = ovs
How to reproduce:
After FWaaS was activated
In a project check that tehere is a default firewall installed
openstack firewall group list --long
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| ID | Name | Ingress Policy ID
| Egress Policy ID |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| 176d6b64-ab11-4d01-a65b-fe64ef42517c | default |
f3592619-e8dc-4d38-9235-b84eec07f266 | e7259e7c-df47-49fa-8e6e-5b0705c2749d |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
openstack firewall group show default
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description | Default firewall group
|
| Egress Policy ID | e7259e7c-df47-49fa-8e6e-5b0705c2749d
|
| ID | 176d6b64-ab11-4d01-a65b-fe64ef42517c
|
| Ingress Policy ID | f3592619-e8dc-4d38-9235-b84eec07f266
|
| Name | default
|
| Ports | ['20b5fc16-ee0d-4645-98bf-01ee59e8e2a2',
'270300c8-0a30-4b5b-859a-d1a5d7b94fa3', 'a926677b-ccd8-4e30-ab09-3d4dbef97cd1',
'b347d215-2b82-4de8-aa8e-420114668d4e'] |
| Project | 7efc953644d04c968ec883a1337930d2
|
| Shared | False
|
| State | UP
|
| Status | ACTIVE
|
| created_at | 2025-08-19T14:05:22Z
|
| revision_number | 254
|
| tags | []
|
| updated_at | 2025-08-28T06:15:00Z
|
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Check default Ingress Policy
openstack firewall group policy show "default ingress"
+-----------------+----------------------------------------------------------------------------------+
| Field | Value
|
+-----------------+----------------------------------------------------------------------------------+
| Audited | False
|
| Description | Ingress firewall policy
|
| Firewall Rules | ['88354c14-12a3-43a9-a095-7a5115c6841d',
'fad35b29-6752-4955-b62e-739062378f5f'] |
| ID | f3592619-e8dc-4d38-9235-b84eec07f266
|
| Name | default ingress
|
| Project | 7efc953644d04c968ec883a1337930d2
|
| Shared | False
|
| created_at | 2025-08-19T14:05:22Z
|
| revision_number | 0
|
| tags | []
|
| updated_at | 2025-08-25T07:41:00Z
|
+-----------------+----------------------------------------------------------------------------------+
Check The rule of the default Ingress Policy, ingress traffic should be set
to "deny"
MY_DEFTAUL_IPV4_RULE_ID=$(openstack firewall group policy show "default
ingress" -c "Firewall Rules" -fjson | jq -Mr '.["Firewall Rules"][0]')
openstack firewall group rule show $MY_DEFTAUL_IPV4_RULE_ID
+-------------------------------+------------------------------------------+
| Field | Value |
+-------------------------------+------------------------------------------+
| Action | deny |
| Description | default ingress rule for IPv4 |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| Firewall Policy | ['f3592619-e8dc-4d38-9235-b84eec07f266'] |
| ID | 88354c14-12a3-43a9-a095-7a5115c6841d |
| IP Version | 4 |
| Name | default ingress ipv4 |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | any |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 4 |
| tags | [] |
| updated_at | 2025-08-28T08:56:50Z |
+-------------------------------+------------------------------------------+
Create a new server
openstack server create --image ubuntu-24.04 --flavor m1.medium --key-name
mykey --network 01_demo_k8s-vlan-net fwaastest01
openstack server show fwaastest01
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-SRV-ATTR:host | None
|
| OS-EXT-SRV-ATTR:hostname | fwaastest01
|
| OS-EXT-SRV-ATTR:hypervisor_hostname | None
|
| OS-EXT-SRV-ATTR:instance_name | None
|
| OS-EXT-SRV-ATTR:kernel_id | None
|
| OS-EXT-SRV-ATTR:launch_index | None
|
| OS-EXT-SRV-ATTR:ramdisk_id | None
|
| OS-EXT-SRV-ATTR:reservation_id | None
|
| OS-EXT-SRV-ATTR:root_device_name | None
|
| OS-EXT-SRV-ATTR:user_data | None
|
| OS-EXT-STS:power_state | Running
|
| OS-EXT-STS:task_state | None
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2025-08-28T08:37:06.000000
|
| OS-SRV-USG:terminated_at | None
|
| accessIPv4 |
|
| accessIPv6 |
|
| addresses | 01_demo_k8s-vlan-net=10.10.21.42
|
| config_drive |
|
| created | 2025-08-28T08:36:47Z
|
| description | None
|
| flavor | description=, disk='40',
ephemeral='0', , id='m1.medium', is_disabled=, is_public='True', location=,
name='m1.medium', original_name='m1.medium', ram='4096', rxtx_factor=,
swap='0', vcpus='2' |
| hostId |
016287359e32f6b692430b0fbb1e4d91ce0f5a452653c54312dcba82
|
| host_status | None
|
| id | 2950669e-cb09-4307-8675-61930bb0f12f
|
| image | ubuntu-24.04
(cf46b0d8-e0e2-4a3d-a233-e2157fa97298)
|
| key_name | mykey
|
| locked | False
|
| locked_reason | None
|
| name | fwaastest01
|
| pinned_availability_zone | None
|
| progress | 0
|
| project_id | 7efc953644d04c968ec883a1337930d2
|
| properties |
|
| security_groups | name='default'
|
| server_groups | None
|
| status | ACTIVE
|
| tags |
|
| trusted_image_certificates | None
|
| updated | 2025-08-28T08:37:06Z
|
| user_id | 0906ccc8fabe4341b7f4bde4a795f0fd
|
| volumes_attached |
|
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
openstack port list --server fwaastest01
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP
Addresses | Status |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| 882e8994-3f0f-4664-bbf6-92165cdb72c5 | | fa:16:3e:36:34:3a |
ip_address='10.10.21.42', subnet_id='516acec3-f099-4904-b827-d6d1a11a58cc' |
ACTIVE |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
Check the server port is added to default firewall group
openstack firewall group show default -fjson | jq '.["Ports"]'
[
"20b5fc16-ee0d-4645-98bf-01ee59e8e2a2",
"270300c8-0a30-4b5b-859a-d1a5d7b94fa3",
"882e8994-3f0f-4664-bbf6-92165cdb72c5",
"a926677b-ccd8-4e30-ab09-3d4dbef97cd1",
"b347d215-2b82-4de8-aa8e-420114668d4e"
]
Check one of the listed ports belongs to the router
openstack port show 270300c8-0a30-4b5b-859a-d1a5d7b94fa3
+-------------------------+---------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------+---------------------------------------------------------------------------------------+
| admin_state_up | UP
|
| allowed_address_pairs |
|
| binding_host_id | None
|
| binding_profile | None
|
| binding_vif_details | None
|
| binding_vif_type | None
|
| binding_vnic_type | normal
|
| created_at | 2025-04-22T08:20:18Z
|
| data_plane_status | None
|
| description |
|
| device_id | 1a41e860-eb39-490e-8b75-cfc2803f4708
|
| device_owner | network:router_interface_distributed
|
| device_profile | None
|
| dns_assignment | fqdn='host-10-0-0-1.openstacklocal.',
hostname='host-10-0-0-1', ip_address='10.0.0.1' |
| dns_domain |
|
| dns_name |
|
| extra_dhcp_opts |
|
| fixed_ips | ip_address='10.0.0.1',
subnet_id='b4e950f6-949a-40bb-8c65-9f61970cb71e' |
| hardware_offload_type | None
|
| hints |
|
| id | 270300c8-0a30-4b5b-859a-d1a5d7b94fa3
|
| ip_allocation | None
|
| mac_address | fa:16:3e:ee:ea:63
|
| name |
|
| network_id | 0ae5f5b4-9dc9-4ab9-ad06-77d96b08ca76
|
| numa_affinity_policy | None
|
| port_security_enabled | False
|
| project_id | 7efc953644d04c968ec883a1337930d2
|
| propagate_uplink_status | None
|
| resource_request | None
|
| revision_number | 1083
|
| qos_network_policy_id | None
|
| qos_policy_id | None
|
| security_group_ids |
|
| status | ACTIVE
|
| tags |
|
| trunk_details | None
|
| trusted | None
|
| updated_at | 2025-08-28T08:27:17Z
|
+-------------------------+---------------------------------------------------------------------------------------+
Create and assign a floating ip to the server
openstack floating ip create shared0 -c name
+-------+--------------+
| Field | Value |
+-------+--------------+
| name | 10.30.10.84 |
+-------+--------------+
openstack server add floating ip fwaastest01 10.30.10.84
openstack server show fwaastest01 -c name -c addresses
+-----------+-----------------------------------------------+
| Field | Value |
+-----------+-----------------------------------------------+
| addresses | 01_demo_k8s-vlan-net=10.10.21.42, 10.30.10.84 |
| name | fwaastest01 |
+-----------+-----------------------------------------------+
Try to access via ssh, should not work (default ingress policy)
ssh [email protected] -v
...
Create a new rule, which allows traffic to port 22 and add it to the default
ingress policy
openstack firewall group rule create --name allow-ssh --protocol tcp
--destination-port 22 --action allow
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Action | allow |
| Description | |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | 22 |
| Enabled | True |
| Firewall Policy | None |
| ID | 39737b54-485b-4ec7-93bd-08091d4e96f2 |
| IP Version | 4 |
| Name | allow-ssh |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | tcp |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-28T08:58:33Z |
| revision_number | 0 |
| tags | [] |
| updated_at | 2025-08-28T08:58:33Z |
+-------------------------------+--------------------------------------+
openstack firewall group policy add rule "default ingress" allow-ssh
Inserted firewall rule 39737b54-485b-4ec7-93bd-08091d4e96f2 in firewall
policy default ingress
openstack firewall group policy show "default ingress"
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Audited | False
|
| Description | Ingress firewall policy
|
| Firewall Rules | ['39737b54-485b-4ec7-93bd-08091d4e96f2',
'88354c14-12a3-43a9-a095-7a5115c6841d', 'fad35b29-6752-4955-b62e-739062378f5f']
|
| ID | f3592619-e8dc-4d38-9235-b84eec07f266
|
| Name | default ingress
|
| Project | 7efc953644d04c968ec883a1337930d2
|
| Shared | False
|
| created_at | 2025-08-19T14:05:22Z
|
| revision_number | 1
|
| tags | []
|
| updated_at | 2025-08-28T08:59:36Z
|
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
Try to access via ssh, now it should work (port 22 allowed)
ssh [email protected] -v
...
Set the Source IP address in the rule, to allow traffic only from a specific
IP
openstack firewall group rule set --source-ip-address 10.30.10.77 allow-ssh
Try to connect from the source ip to the server via ssh, it should still work
ssh [email protected] -v
Set the Source IP address in the rule, to allow traffic only from one another
IP
openstack firewall group rule set --source-ip-address 10.30.10.100 allow-ssh
Try to connect from the source ip to the server via ssh, it should not work,
but it does
ssh [email protected] -v
Check incomming traffic on the target host
root@fwaastest01:~# tcpdump -nve -i ens3 port 22 and host 10.30.10.77
tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length
262144 bytes
09:17:23.674025 fa:16:3e:8b:c7:b8 > fa:16:3e:36:34:3a, ethertype IPv4
(0x0800), length 74: (tos 0x0, ttl 60, id 5237, offset 0, flags [DF], proto TCP
(6), length 60)
10.30.10.77.47115 > 10.10.21.42.22: Flags [S], cksum 0xc08f (correct),
seq 1696342916, win 64860, options [mss 1410,sackOK,TS val 2199360205 ecr
0,nop,wscale 7], length 0
Expectation: if we connect from the IP, we set in the FW Rule, it
should work. Connection from any other IP should not work
Reality: It's possible to connect from any IP, the source ip address
is not respected.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2121582/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
