Zed Series Release Notes



Adding new tables for future consumption.

Associating default firewall group for new VM ports within a project automatically.

Taking security for VM instance into consideration, we’ve removed an option to disable automatic association with default firewall group feature. Therefore, auto_associate_default_firewall_group has been removed.

The Cisco Firewall Driver is being moved from the FWaaS repo to the Cisco specific repo: https://github.com/openstack/networking-cisco

Coexistence between security group and firewall group.

Generation of sample Neutron FWaaS configuration files.

Enable quotas for FWaaS.

Resource type firewall group has been supported for neutron packet logging framework. You can specify firewall group as --resource-type for logging API.

The FWaaS team is pleased to release FWaaS v2.0. This release of FWaaS supports either the original FWaaS v1 or the new FWaaS v2.

  • The McAfee Firewall Driver is being removed from the FwaaS repo, due to lack of active maintainers.

  • FWaaS V1 is being removed from the neutron-fwaas repo. Because FWaaS V2 has been available since the Newton release.

Validating if a port is supported by FWaaS V2

  • The vArmour Firewall Driver is being removed from the FwaaS repo, as per decision to remove vendor drivers from the community repo.

  • The vyatta Firewall Driver is being removed from the FwaaS repo,

    as per decision to remove vendor drivers from the community repo.

New Features

  • New tables ACCEPTED_EGRESS_TRAFFIC_TABLE=91 and ACCEPTED_INGRESS_TRAFFIC_TABLE=92 & DROPPED_TRAFFIC_TABLE=93 are added to OVS based FWaaS L2 driver for future comsumption like logging service.

  • The default firewall group won’t be applied to all new VM ports as default. However, if option auto_associate_default_firewall_group is enabled in neutron_fwaas.conf like:

    [fwaas] auto_associate_default_firewall_group = True

    Then, the default firewall group will be applied to all new VM ports.

  • L2 firewall group driver based OVS can work in coexistence mode. That means, if a port is associated with both firewall group and security group, then a packet must be allowed by both features.

  • Neutron FWaaS no longer includes static example configuration files. Instead, use tools/generate_config_file_samples.sh to generate them. The files are generated with a .sample extension.

  • The FWaaS extension will register quotas. The default values for quota_firewall and quota_firewall_policy are set to 10. The default value for quota_firewall_rule is set to 100. Quotas can be adjusted in the conf files, including -1 values to allow unlimited.

  • Neutron Firewall as a Service can be configured by the users with the newly introduced fwaas configuration file.

  • Enable to collect network packet log for ACCEPT/DROP action from firewall groups. Currently, packet logging supports only L3(router) ports.

  • In FWaaS v2 firewall policies are applied to router ports, as opposed to applying to routers in FWaaS v1.

  • Earlier the FWaaS agent integrated with the L3 agent by having the L3 Agent class inherit from the FWaaS Agent class. This meant that other service agents could not also integrate with the L3 agent. Now, using the L3 agent extensions mechanism, FWaaS (v1 and v2) plugs in to the L3 agent. This means that it can interoperate peacefully with other L3 advanced services that also implement the L3 agent extension mechanism, all without any code changes to Neutron.

Known Issues

  • Tenants may receive a 409 Conflict error with a message body containing a quota exceeded message during resource creation if their quota is exceeded.

  • [bug 1720727] Currently, we cannot specify the following combination on CLI due to missing validation of –resource-type:

    • –resource-type firewall_group –resource <ID of firewall group>

    • –resource-type firewall_group –resource <ID of firewall group> –target <ID of port>

    Therefore, you can only run with following combinations:

    • –resource-type firewall_group –target <ID of port>

    • –resource-type firewall_group

  • Currently, the FWaaSv2 L2 driver can be configured as:

    firewall_driver = ovs

    And the Security Group driver is specified as:

    firewall_driver = openvswitch

    If both are configured, the packet will still only hit the FWaaS table in OVS and will not traverse the rules in the SG table. There are some fixes needed to support this model which are being tested and will be merged shortly. Currently there are no checks to allow only one of FWaaS L2 or SG to be configured.

Upgrade Notes

  • The Cisco FWaaS driver will not be available from the neutron-fwaas repo in Newton. For the Cisco FWaaS driver, refer to the openstack/networking-cisco repo.

  • Python 2.7 support has been dropped. The minimum version of Python now supported by neutron-fwaas is Python 3.6.

  • Python 3.6 & 3.7 support has been dropped. The minimum version of Python now supported is Python 3.8.

  • There is not currently a defined upgrade path from FWaaS v1 to FWaaS v2.

  • FWaaS v1 can not be enabled at the same time as FWaaS v2; one or the other must be chosen.

  • The McAfee Firewall Driver will not be available for use in the Newton release.

  • The FWaaS V1 source code will not be available in neutron-fwaas repo from Stein. neutron-fwaas-migrate-v1-to-v2 can be used for migrating V1 object to V2 model.

  • The vArmour Firewall Driver will not be available for use in the Newton release.

  • The vyatta Firewall Driver will not be available for use in the Newton release from the community repo.

Bug Fixes

  • The limitation related to logging for security group in case of co-existence between SG and FWG is also fixed.

  • [bug 1702242] Port range specification of a firewall rule now works expectedly with the reference L3 agent based implementation. Previously, when creating a firewall rule with port range like 8778:9000, the rule was not deleted correctly and only entries associated with the first port number were clean up. Note that this bug is only applied to the reference L3 agent based implementation.

  • There is no validation to check if an updated port is for VM or not so far. After this fix, default firewall group association is called only for VM ports which are newly created.

  • There was no way to define default firewall group rules. Default firewall group rules can be now defined in neutron_fwaas.conf in section default_fwg_rules. Default firewall group rules are same as hardcoded values before.

  • [bug 1746855] Now, FWaaS V2 will validate if a port is supported before adding it to a FWG. This helps to make sure FWaaS V2 API works as expected.

Other Notes

  • If a port is associated with both firewall group & security group and there is a security group logging, which is enabled to collect DROP events for this port, then most of invalid packets will be dropped at firewall group for performance reason except first dropped packet, which is allowed by firewall group but not accepted by security group. So not every dropped packet will be logged (like in case of security group works in standalone mode).

  • Operators that increase the default limit for quota_routers from 10 may want to bump FWaaS quotas as well, since with router insertion a tenant can potentially have a unique policy and firewall for each router.



Neutron-fwaas project is now deprecated in the Neutron stadium.

Deprecation Notes

  • Due to lack of maintainers neutron-fwaas project is now deprecated in the Neutron stadium. There is no planned releases of this project in the Victoria cycle. In W cycle project will be moved out from the stadium to the unofficial OpenStack projects. If You want to step in and be maintainer of this project to keep it in the Neutron stadium, please contact the neutron team via openstack-discuss@lists.openstack.org or IRC channel #openstack-neutron @freenode.