yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1359523] Re: Security group rules are erroneously applied to all ports having same ip addresses in different networks

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Thu, 03 Dec 2015 21:00:38 -0000
Reply-to: Bug 1359523 <1359523@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1359523

Title:
  Security group rules are erroneously applied to all ports having same
  ip addresses in different networks

Status in neutron:
  Fix Released

Bug description:
  The following steps happen in the same host machine.

  1. tenant1 create vm1 with network net1 and ip 199.168.1.2
  2. tenant1 create vm2 with network net1 and ip 199.168.1.4
  3. configure security group of vm1 and vm2 so they can communicate with tcp connetion
  4. tenant2 create vm3 with network net2 and ip 199.168.1.2
  5. tenant2 create vm4 with network net2 and ip 199.168.1.4
  6. configure security group of vm3 and vm4 so they can't communicate with tcp connetion
  7. create tcp connetion between vm1 and vm2, success
  8. create tcp connetion betwwen vm3 and vm4 when vm1 and vm2 are still connecting, success, which failure is expected

  This problem is caused since these two connections share the same
  5-tuple, so conntrack let the packets between vm3 and vm4 pass.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1359523/+subscriptions

References

[Bug 1359523] [NEW] Conntrack causes security group rule fails
From: Zhiyuan Cai, 2014-08-21