Queens Series Release Notes

12.0.0

Prelude

Adding new tables for future consumption.

Associating default firewall group for new VM ports within a project automatically.

Taking security for VM instance into consideration, we’ve removed an option to disable automatic association with default firewall group feature. Therefore, auto_associate_default_firewall_group has been removed.

Coexistence between security group and firewall group.

Validating if a port is supported by FWaaS V2

New Features

  • New tables ACCEPTED_EGRESS_TRAFFIC_TABLE=91 and ACCEPTED_INGRESS_TRAFFIC_TABLE=92 & DROPPED_TRAFFIC_TABLE=93 are added to OVS based FWaaS L2 driver for future comsumption like logging service.

  • The default firewall group won’t be applied to all new VM ports as default. However, if option auto_associate_default_firewall_group is enabled in neutron_fwaas.conf like:

    [fwaas] auto_associate_default_firewall_group = True

    Then, the default firewall group will be applied to all new VM ports.

  • L2 firewall group driver based OVS can work in coexistence mode. That means, if a port is associated with both firewall group and security group, then a packet must be allowed by both features.

Known Issues

  • Currently, the FWaaSv2 L2 driver can be configured as:

    firewall_driver = ovs

    And the Security Group driver is specified as:

    firewall_driver = openvswitch

    If both are configured, the packet will still only hit the FWaaS table in OVS and will not traverse the rules in the SG table. There are some fixes needed to support this model which are being tested and will be merged shortly. Currently there are no checks to allow only one of FWaaS L2 or SG to be configured.

Bug Fixes

  • The limitation related to logging for security group in case of co-existence between SG and FWG is also fixed.

  • [bug 1702242] Port range specification of a firewall rule now works expectedly with the reference L3 agent based implementation. Previously, when creating a firewall rule with port range like 8778:9000, the rule was not deleted correctly and only entries associated with the first port number were clean up. Note that this bug is only applied to the reference L3 agent based implementation.

  • There is no validation to check if an updated port is for VM or not so far. After this fix, default firewall group association is called only for VM ports which are newly created.

  • [bug 1746855] Now, FWaaS V2 will validate if a port is supported before adding it to a FWG. This helps to make sure FWaaS V2 API works as expected.

Other Notes

  • If a port is associated with both firewall group & security group and there is a security group logging, which is enabled to collect DROP events for this port, then most of invalid packets will be dropped at firewall group for performance reason except first dropped packet, which is allowed by firewall group but not accepted by security group. So not every dropped packet will be logged (like in case of security group works in standalone mode).