yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40143
[Bug 1460741] Re: security groups iptables can block legitimate traffic as INVALID
** Changed in: neutron/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1460741
Title:
security groups iptables can block legitimate traffic as INVALID
Status in neutron:
Fix Released
Status in neutron kilo series:
Fix Released
Bug description:
The iptables implementation of security groups includes a default rule
to drop any INVALID packets (according to the Linux connection state
tracking system.) It looks like this:
-A neutron-openvswi-od0518220-e -m state --state INVALID -j DROP
This is placed near the top of the rule stack, before any security
group rules added by the user. See:
https://github.com/openstack/neutron/blob/stable/kilo/neutron/agent/linux/iptables_firewall.py#L495
https://github.com/openstack/neutron/blob/stable/kilo/neutron/agent/linux/iptables_firewall.py#L506-L510
However, there are some cases where you would not want traffic marked
as INVALID to be dropped here. Specifically, our use case:
We have a load balancing scheme where requests from the LB are
tunneled as IP-in-IP encapsulation between the LB and the VM.
Response traffic is configured for DSR, so the responses go directly
out the default gateway of the VM.
The results of this are iptables on the hypervisor does not see the
initial SYN from the LB to VM (because it is encapsulated in IP-in-
IP), and thus it does not make it into the connection table. The
response that comes out of the VM (not encapsulated) hits iptables on
the hypervisor and is dropped as invalid.
I'd like to see a Neutron option to enable/disable the population of
this INVALID state rule, so that operators (such as us) can disable it
if desired. Obviously it's better in general to keep it in there to
drop invalid packets, but there are cases where you would like to not
do this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1460741/+subscriptions
References