Current Series Release Notes

21.0.0-21

New Features

  • L3 stateless firewall support for ML2/OVN driver is implemented.

Known Issues

  • If the user configures stateful security group rules for VMs ports and stateless L3 firewall rules for gateway ports like this:

    • SG ingress rules: –remote_ip_prefix 0.0.0.0/0

    • FW ingress rules: –destination_ip_address 0.0.0.0/0 –action allow

    It only opens ingress traffic for another network to access VM, but the reply traffic (egress direction) also passes because it matches the committed conntrack entry. So it only works well with stateless security groups for VMs.

Upgrade Notes

  • The neutron-fwaas-migrate-v1-to-v2 tool has been removed. The migration should be completed before Neutron FWaaS is upgraded.

Bug Fixes

  • A change has been made in the database structures to add missing primary key for the table ‘firewall_group_associations_v2’. This would have the benefit effect to fix an issue with Percona when running in ENFORCING mode.