Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-26457

[FWAAS] firewall group ingress allow the traffic with one rule in both side setting specific dest IP and port

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • neutron-operator
    • None
    • Important

      To Reproduce Steps to reproduce the behavior:

      1. Enable security groups (allow traffic port 80)
      2. Create 3 VM's - (2 with FIP and 1VM with direct external) + router
      3. Create rules with specific ip addresses and port 
        Like:
      openstack firewall group rule create --name http_in --ip-version 4 --source-ip-address 192.168.122.188 --destination-ip-address 192.168.1.203 --protocol tcp --destination-port 80 --action allow 
      1. Add the ingress rule(http_in) to a policy rule
      2. Add the policy rule to ingress in firewall group and set the router port.
      3. Expected: Not traffic, but in this case the traffic is shown.

      Procedure like in this doc: https://docs.google.com/document/d/1wJwsTqGrOLOw-FTyDID8Gd0sD5JcmMvzuA5Ef44_-bo/edit?usp=sharing 

      Note:

      • When the rule is remove from Ingress Policy of firewall group, there is not traffic <- expected.
      • When the rule is setting to  Egress Policy ID of firewall group, there is not traffic <- expected.
      • When the rules is 
       openstack firewall group rule create --name http_out --ip-version 4 --source-ip-address 192.168.1.203 --destination-ip-address 192.168.122.188 --protocol tcp --source-port 80 --action allow

      and ** set in E{*}gress Policy ID of firewall group, there is not traffic <- expected.

      {*}
      Fwaas is stateless, it needs to have two rules to allow the traffic(in, out). But in this case, it allows the traffic with one rule.

      Version:

      python3-neutronclient-9.0.0-18.0.20251022164653.16a2cd1.el9osttrunk.noarch
      python3-neutron-lib-3.4.3-18.0.20260107131458.f3968ad.el9osttrunk.noarch
      python3-neutron-22.2.2-18.0.20260203154836.51e19bb.el9osttrunk.noarch
      openstack-neutron-common-22.2.2-18.0.20260203154836.51e19bb.el9osttrunk.noarch
      openstack-neutron-22.2.2-18.0.20260203154836.51e19bb.el9osttrunk.noarch
      openstack-neutron-ml2-22.2.2-18.0.20260203154836.51e19bb.el9osttrunk.noarch
      openstack-neutron-rpc-server-22.2.2-18.0.20260203154836.51e19bb.el9osttrunk.noarch
      python3-neutron-fwaas-18.0.1-18.0.20260203125144.5a16356.el9osttrunk.noarch 

       

              skaplons@redhat.com Slawomir Kaplonski
              rh-ee-fyanac Fiorella Yanac
              rhos-dfg-networking-squad-neutron
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: