Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1082188

Summary: The firewall module used with Nova (Neutron) `will error after instance creation because of openvswitch interface
Product: [Community] RDO Reporter: Andrew Lau <andrew>
Component: openstack-puppet-modulesAssignee: John Eckersberg <jeckersb>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: btaylor, clasohm, cristi.falcas, lars, madko, morazi, npatil, sgallego, sputhenp, stgeorgea, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-20 20:59:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Lau 2014-03-29 00:02:56 UTC 
Description of problem:
Post Nova (Neutron) deploy, the puppet module will execute successfully, however after an instance is created on the next puppet run the firewall module will complain because openvswitch has created some new rules:

Puppet Output:

Error: Could not prefetch firewall provider 'iptables': Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[001 nova compute incoming]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[001 RPC and gluster daemon incoming UDP]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[001 RPC and gluster daemon incoming]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[002 gluster bricks incoming]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[002 vxlan udp]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11

iptables snippet:

Chain neutron-openvswi-s2c31f940-7 (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  10.0.0.25            0.0.0.0/0           MAC FA:16:3E:53:D1:11 
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain neutron-openvswi-sead94d3e-8 (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  10.0.0.26            0.0.0.0/0           MAC FA:16:3E:91:A9:77 
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           



Version-Release number of selected component (if applicable):
icehouse-3

How reproducible:
Always

Steps to Reproduce:
1. Deploy Nova (Neutron)
2. Create a new instance
3. Run puppet agent -tv

Actual results:
firewall provider will error

Expected results:
no error

Additional info:
Comment 1 Allan St. George 2014-03-31 11:38:25 UTC 
This also occurs with OpenStack Havana.
Comment 2 John Eckersberg 2014-04-03 20:16:30 UTC 
This is the upstream pull request to fix this problem - https://github.com/puppetlabs/puppetlabs-firewall/pull/337

Still a work in progress, but looks close to being done.  I'll help out upstream however I can to speed it along.
Comment 3 Edouard Bourguignon 2014-04-16 14:27:40 UTC 
same problem on icehouse
Comment 4 btaylor 2014-05-29 14:05:08 UTC 
just ran into this also after I updated the masquerade rule to use br-ex instead of eth0
Comment 5 Nilesh Patil 2014-07-18 10:48:55 UTC 
Is it still a open bug? I am seeing this issue on our production openstack instance. 

Willing to help in case you need access to box. 

Regards,
Nilesh
Comment 6 John Eckersberg 2014-07-18 12:57:06 UTC 
This is still waiting to be merged upstream, at which point the next rebase of the firewall module will pull it into RDO.  Alternatively we can carry the patch ourselves but I'd rather just get it upstreamed.  I have offered virtual cookies in the pull request as incentive to try and move it along.
Comment 7 Lars Kellogg-Stedman 2015-03-20 20:59:07 UTC 
https://github.com/puppetlabs/puppetlabs-firewall/pull/337 was merged on July 26, 2014, and the fix is included in the RDO Icehouse (and later) packages.