RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1014547 - Firewall rules can not be updated in a firewall policy after firewall policy creation
Summary: Firewall rules can not be updated in a firewall policy after firewall policy ...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: RDO
Classification: Community
Component: openstack-neutron
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: Ofer Blaut
URL:
Whiteboard: network
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-02 10:33 UTC by Rami Vaknin
Modified: 2023-09-14 01:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-12 06:52:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1279208 0 None None None Never

Description Rami Vaknin 2013-10-02 10:33:08 UTC 
Version
=======
RDO havana on RHEL6.4
openstack-neutron-2013.2-0.4.b3.el6


Description
===========
Firewall rules can not be updated in a firewall policy after the firewall policy creation (at least when the policy already created with a rule).
It looks like the firewall-policy-update looks only at the first char of the policy id and hence reports that this rule was not found.

[root@puma10 ~(keystone_admin)]# neutron firewall-policy-show f1224bee-740e-4aab-bdbe-829d76aeb647
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| audited        | True                                 |
| description    |                                      |
| firewall_rules | 2f381389-3137-48f0-a7ff-86744a63c0cb |
| id             | f1224bee-740e-4aab-bdbe-829d76aeb647 |
| name           | tcp_90_policy                        |
| shared         | True                                 |
| tenant_id      | 699ae084c9df430d83dbb9a547bab2e3     |
+----------------+--------------------------------------+
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules 4e57336a-4f91-46b8-af00-b5312fa7e175
Firewall Rule 4 could not be found.
[root@puma10 ~(keystone_admin)]# neutron firewall-rule-show 4e57336a-4f91-46b8-af00-b5312fa7e175
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | deny                                 |
| description            |                                      |
| destination_ip_address | 10.35.211.3                          |
| destination_port       | 100                                  |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 4e57336a-4f91-46b8-af00-b5312fa7e175 |
| ip_version             | 4                                    |
| name                   |                                      |
| position               |                                      |
| protocol               | tcp                                  |
| shared                 | False                                |
| source_ip_address      | 10.35.115.14                         |
| source_port            |                                      |
| tenant_id              | 699ae084c9df430d83dbb9a547bab2e3     |
+------------------------+--------------------------------------+
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules 5e57336a-4f91-46b8-af00-b5312fa7e175
Firewall Rule 5 could not be found.
[root@puma10 ~(keystone_admin)]# neutron firewall-policy-update f1224bee-740e-4aab-bdbe-829d76aeb647 --firewall-rules rami
Firewall Rule r could not be found.


From the server.log
===================

2013-10-02 13:24:11.404 26705 ERROR neutron.api.v2.resource [-] update failed
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource Traceback (most recent call last):
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/api/v2/resource.py", line 84, in resource
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     result = method(request=request, **args)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/api/v2/base.py", line 486, in update
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     obj = obj_updater(request.context, id, **kwargs)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/services/firewall/fwaas_plugin.py", line 247, in update_firewall_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     self).update_firewall_policy(context, id, firewall_policy)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/db/firewall/firewall_db.py", line 302, in update_firewall_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     fwp['firewall_rules'])
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource   File "/usr/lib/python2.6/site-packages/neutron/db/firewall/firewall_db.py", line 185, in _set_rules_for_policy
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource     fwrule_id)
2013-10-02 13:24:11.404 26705 TRACE neutron.api.v2.resource FirewallRuleNotFound: Firewall Rule 4 could not be found.
Comment 2 Kashyap Chamarthy 2014-01-15 15:53:48 UTC 
Hi, please report this issue upstream, and link the respective Launchpad bug as external tracker, and close this bug as INSUFFICIENT_DATA
Comment 3 Lars Kellogg-Stedman 2014-02-10 17:11:30 UTC 
Given the age of this report and the fact that the original reporter's account has been closed I am closing the bug.
Comment 4 Ofer Blaut 2014-02-11 05:14:56 UTC 
The bug should be opened upstream, no relate to the fact account has been closed
Comment 5 Red Hat Bugzilla 2023-09-14 01:51:26 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.