← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1325986] [NEW] When VM do not have fixed_ip, Allowed address pair should not allow all the IPs by default

 

Public bug reported:

If we create a VM without fixed_ip, there will be the following rule add
in spoof filter chain :

neutron/agent/linux/iptables_firewall.py
188     def _setup_spoof_filter_chain(self, port, table, mac_ip_pairs, rules):
189         if mac_ip_pairs:
190             chain_name = self._port_chain_name(port, SPOOF_FILTER)
191             table.add_chain(chain_name)
192             for mac, ip in mac_ip_pairs:
193                 if ip is None:
194                     # If fixed_ips is [] this rule will be added to the end
195                     # of the list after the allowed_address_pair rules.
196                     table.add_rule(chain_name,
197                                    '-m mac --mac-source %s -j RETURN'
198                                    % mac)

Then we will have the following rule after allowed_address_pair rules:
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC $MAC_ADDRESS

This rule will hit all the ips, but here we should not allow all the ips ...
So I think we should not add this rule.

** Affects: neutron
     Importance: Undecided
     Assignee: Liping Mao (limao)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Liping Mao (limao)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1325986

Title:
  When VM do not have fixed_ip, Allowed address pair should not allow
  all the IPs by default

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  If we create a VM without fixed_ip, there will be the following rule
  add in spoof filter chain :

  neutron/agent/linux/iptables_firewall.py
  188     def _setup_spoof_filter_chain(self, port, table, mac_ip_pairs, rules):
  189         if mac_ip_pairs:
  190             chain_name = self._port_chain_name(port, SPOOF_FILTER)
  191             table.add_chain(chain_name)
  192             for mac, ip in mac_ip_pairs:
  193                 if ip is None:
  194                     # If fixed_ips is [] this rule will be added to the end
  195                     # of the list after the allowed_address_pair rules.
  196                     table.add_rule(chain_name,
  197                                    '-m mac --mac-source %s -j RETURN'
  198                                    % mac)

  Then we will have the following rule after allowed_address_pair rules:
      0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC $MAC_ADDRESS

  This rule will hit all the ips, but here we should not allow all the ips ...
  So I think we should not add this rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1325986/+subscriptions


Follow ups

References