Bug 1014547

Summary: Firewall rules can not be updated in a firewall policy after firewall policy creation
Product: [Community] RDO Reporter: Rami Vaknin <rvaknin>
Component: openstack-neutronAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: chrisw, kchamart, lars, rvaknin, yeylon, yfried
Target Milestone: ---Keywords: Reopened
Target Release: ---Flags: kchamart: needinfo? (rvaknin)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: network
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-12 06:52:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rami Vaknin 2013-10-02 10:33:08 UTC
Version
=======
RDO havana on RHEL6.4
openstack-neutron-2013.2-0.4.b3.el6


Description
===========
Firewall rules can not be updated in a firewall policy after the firewall policy creation (at least when the policy already created with a rule).
It looks like the firewall-policy-update looks only at the first char of the policy id and hence reports that this rule was not found.

[root@puma10 ~(keystone_admin)]# neutron firewall-policy-show f1224bee-740e-4aab-bdbe-829d76aeb647
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| audited        | True                                 |
| description    |                                      |
| firewall_rules | 2f381389-3137-48f0-a7ff-86744a63c0cb |
| id             | f1224bee-740e-4aab-bdbe-829d76aeb647 |
| name           | tcp_90_policy                        |
| shared         | True                                 |
| tenant_id      | 699ae084c9df430d83dbb9a547bab2e3     |
+----------------+--------------------------------------+
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules 4e57336a-4f91-46b8-af00-b5312fa7e175
Firewall Rule 4 could not be found.
[root@puma10 ~(keystone_admin)]# neutron firewall-rule-show 4e57336a-4f91-46b8-af00-b5312fa7e175
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | deny                                 |
| description            |                                      |
| destination_ip_address | 10.35.211.3                          |
| destination_port       | 100                                  |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 4e57336a-4f91-46b8-af00-b5312fa7e175 |
| ip_version             | 4                                    |
| name                   |                                      |
| position               |                                      |
| protocol               | tcp                                  |
| shared                 | False                                |
| source_ip_address      | 10.35.115.14                         |
| source_port            |                                      |
| tenant_id              | 699ae084c9df430d83dbb9a547bab2e3     |
+------------------------+--------------------------------------+
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules 5e57336a-4f91-46b8-af00-b5312fa7e175
Firewall Rule 5 could not be found.
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules rami
Firewall Rule r could not be found.


From the server.log
===================

2013-10-02 13:24:11.404 26705 ERROR neutron.api.v2.resource [-] update failed
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource Traceback (most recent call last):
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/api/v2/resource.py", line 84, in resource
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     result = method(request=request, **args)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/api/v2/base.py", line 486, in update
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     obj = obj_updater(request.context, id, **kwargs)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/services/firewall/fwaas_plugin.py", line 247, in update_firewall_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     self).update_firewall_policy(context, id, firewall_policy)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/db/firewall/firewall_db.py", line 302, in update_firewall_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     fwp['firewall_rules'])
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/db/firewall/firewall_db.py", line 185, in _set_rules_for_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     fwrule_id)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource FirewallRuleNotFound: Firewall Rule 4 could not be found.

Comment 2 Kashyap Chamarthy 2014-01-15 15:53:48 UTC
Hi, please report this issue upstream, and link the respective Launchpad bug as external tracker, and close this bug as INSUFFICIENT_DATA

Comment 3 Lars Kellogg-Stedman 2014-02-10 17:11:30 UTC
Given the age of this report and the fact that the original reporter's account has been closed I am closing the bug.

Comment 4 Ofer Blaut 2014-02-11 05:14:56 UTC
The bug should be opened upstream, no relate to the fact account has been closed