Bug 1014547 - Firewall rules can not be updated in a firewall policy after firewall policy creation [NEEDINFO]
Firewall rules can not be updated in a firewall policy after firewall policy ...
Status: CLOSED UPSTREAM
Product: RDO
Classification: Community
Component: openstack-neutron (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: RHOS Maint
Ofer Blaut
network
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-02 06:33 EDT by Rami Vaknin
Modified: 2016-04-26 18:46 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-12 01:52:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
kchamart: needinfo? (rvaknin)


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1279208 None None None Never

  None (edit)
Description Rami Vaknin 2013-10-02 06:33:08 EDT
Version
=======
RDO havana on RHEL6.4
openstack-neutron-2013.2-0.4.b3.el6


Description
===========
Firewall rules can not be updated in a firewall policy after the firewall policy creation (at least when the policy already created with a rule).
It looks like the firewall-policy-update looks only at the first char of the policy id and hence reports that this rule was not found.

[root@puma10 ~(keystone_admin)]# neutron firewall-policy-show f1224bee-740e-4aab-bdbe-829d76aeb647
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| audited        | True                                 |
| description    |                                      |
| firewall_rules | 2f381389-3137-48f0-a7ff-86744a63c0cb |
| id             | f1224bee-740e-4aab-bdbe-829d76aeb647 |
| name           | tcp_90_policy                        |
| shared         | True                                 |
| tenant_id      | 699ae084c9df430d83dbb9a547bab2e3     |
+----------------+--------------------------------------+
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules 4e57336a-4f91-46b8-af00-b5312fa7e175
Firewall Rule 4 could not be found.
[root@puma10 ~(keystone_admin)]# neutron firewall-rule-show 4e57336a-4f91-46b8-af00-b5312fa7e175
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | deny                                 |
| description            |                                      |
| destination_ip_address | 10.35.211.3                          |
| destination_port       | 100                                  |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 4e57336a-4f91-46b8-af00-b5312fa7e175 |
| ip_version             | 4                                    |
| name                   |                                      |
| position               |                                      |
| protocol               | tcp                                  |
| shared                 | False                                |
| source_ip_address      | 10.35.115.14                         |
| source_port            |                                      |
| tenant_id              | 699ae084c9df430d83dbb9a547bab2e3     |
+------------------------+--------------------------------------+
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules 5e57336a-4f91-46b8-af00-b5312fa7e175
Firewall Rule 5 could not be found.
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules rami
Firewall Rule r could not be found.


From the server.log
===================

2013-10-02 13:24:11.404 26705 ERROR neutron.api.v2.resource [-] update failed
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource Traceback (most recent call last):
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/api/v2/resource.py", line 84, in resource
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     result = method(request=request, **args)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/api/v2/base.py", line 486, in update
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     obj = obj_updater(request.context, id, **kwargs)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/services/firewall/fwaas_plugin.py", line 247, in update_firewall_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     self).update_firewall_policy(context, id, firewall_policy)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/db/firewall/firewall_db.py", line 302, in update_firewall_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     fwp['firewall_rules'])
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/db/firewall/firewall_db.py", line 185, in _set_rules_for_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     fwrule_id)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource FirewallRuleNotFound: Firewall Rule 4 could not be found.
Comment 2 Kashyap Chamarthy 2014-01-15 10:53:48 EST
Hi, please report this issue upstream, and link the respective Launchpad bug as external tracker, and close this bug as INSUFFICIENT_DATA
Comment 3 Lars Kellogg-Stedman 2014-02-10 12:11:30 EST
Given the age of this report and the fact that the original reporter's account has been closed I am closing the bug.
Comment 4 Ofer Blaut 2014-02-11 00:14:56 EST
The bug should be opened upstream, no relate to the fact account has been closed

Note You need to log in before you can comment on or make changes to this bug.