Queens Series Release Notes¶
12.0.0¶
Prelude¶
Adding new tables for future consumption.
Associating default firewall group for new VM ports within a project automatically.
Taking security for VM instance into consideration, we’ve removed an option to disable automatic association with default firewall group feature. Therefore, auto_associate_default_firewall_group has been removed.
Coexistence between security group and firewall group.
Validating if a port is supported by FWaaS V2
Nouvelles fonctionnalités¶
New tables
ACCEPTED_EGRESS_TRAFFIC_TABLE=91
andACCEPTED_INGRESS_TRAFFIC_TABLE=92
&DROPPED_TRAFFIC_TABLE=93
are added to OVS based FWaaS L2 driver for future comsumption like logging service.
The default firewall group won’t be applied to all new VM ports as default. However, if option
auto_associate_default_firewall_group
is enabled in neutron_fwaas.conf like:[fwaas] auto_associate_default_firewall_group = True
Then, the default firewall group will be applied to all new VM ports.
L2 firewall group driver based OVS can work in coexistence mode. That means, if a port is associated with both firewall group and security group, then a packet must be allowed by both features.
Problèmes connus¶
Currently, the FWaaSv2 L2 driver can be configured as:
firewall_driver = ovs
And the Security Group driver is specified as:
firewall_driver = openvswitch
If both are configured, the packet will still only hit the FWaaS table in OVS and will not traverse the rules in the SG table. There are some fixes needed to support this model which are being tested and will be merged shortly. Currently there are no checks to allow only one of FWaaS L2 or SG to be configured.
Bug Fixes¶
The limitation related to logging for security group in case of co-existence between SG and FWG is also fixed.
[bug 1702242] Port range specification of a firewall rule now works expectedly with the reference L3 agent based implementation. Previously, when creating a firewall rule with port range like
8778:9000
, the rule was not deleted correctly and only entries associated with the first port number were clean up. Note that this bug is only applied to the reference L3 agent based implementation.
There is no validation to check if an updated port is for VM or not so far. After this fix, default firewall group association is called only for VM ports which are newly created.
[bug 1746855] Now, FWaaS V2 will validate if a port is supported before adding it to a FWG. This helps to make sure FWaaS V2 API works as expected.
Autres notes¶
If a port is associated with both firewall group & security group and there is a security group logging, which is enabled to collect
DROP
events for this port, then most of invalid packets will be dropped at firewall group for performance reason except first dropped packet, which is allowed by firewall group but not accepted by security group. So not every dropped packet will be logged (like in case of security group works in standalone mode).