When a firewall is created after the routers have been deployed,
we are supposed to manually do a firewall-update on specific routers
where we wanted the firewall policy to be applied in the case of
But in the case of DVR routers, we have seen the firewall-update
for routers that are deployed in the compute hosts are not getting
The reason is the firewall update, firewall delete and firewall
create events are not notified to all the respective router hosts.
The original code only handles getting the host information from
the routers that are scheduled to the l3 agent, but in the case of
DVR routers, the routers are only scheduled to the network node l3
agents and the other distributed routers on compute are created
based on the service port binding.
This bug is applicable only for FWaaS-v1 and the patch should be
applied for Rocky release and below, since FWaaS-v1 is not supported
in Stein and Train release.
This patch fixes the problem described above by taking care of
collecting all the hosts involved with DVR routers and notifying
(cherry picked from commit