Current Series Release Notes

21.0.0-22

New Features

  • L3 stateless firewall support for ML2/OVN driver is implemented.

Known Issues

  • If the user configures stateful security group rules for VMs ports and stateless L3 firewall rules for gateway ports like this:

    • SG ingress rules: –remote_ip_prefix 0.0.0.0/0

    • FW ingress rules: –destination_ip_address 0.0.0.0/0 –action allow

    It only opens ingress traffic for another network to access VM, but the reply traffic (egress direction) also passes because it matches the committed conntrack entry. So it only works well with stateless security groups for VMs.

Upgrade Notes

  • The neutron-fwaas-migrate-v1-to-v2 tool has been removed. The migration should be completed before Neutron FWaaS is upgraded.

Bug Fixes

  • A change has been made in the database structures to add missing primary key for the table ‘firewall_group_associations_v2’. This would have the benefit effect to fix an issue with Percona when running in ENFORCING mode.

  • The logging configuration for Neutron Firewall as a Service (FWaaS) has been enhanced to allow better control over log output destinations. Specifically, when a custom log file is specified using the network_log.local_output_log_base option, logs will no longer be duplicated in the default neutron-l3-agent.log file.