← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #43965

[Bug 1531036] [NEW] Ip table rules for IP/MAC spoofing added when DHCP is disabled

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When a network is created that has DHCP disabled Neutron still creates
IP/MAC spoof rules to stop the wrong IP being used from a MAC address,
the problem with this is that if DHCP is provided by an external source
on the network that's not Neutron the wrong IP is added to the firewall
and prevents the instance for being able to communicate.


Example:

Instance "net-test" is attached to two networks, Public & QA, Public
provides DHCP to the instance via Neutron whilst QA network provides
DHCP from Windows Server 2012 attached to the same VLAN.

Neutron expects the instance to get 198.18.0.2 for its Public network
interface and 198.18.64.1 for its QA network interface so it adds the
following rules to IPTables:

Chain neutron-linuxbri-xxxxxxxx-x (1 references)
 pkts   bytes                 target           prot     opt     in     out     source                     destination
    0       0                         RETURN     all           --         *      *         192.168.64.1         0.0.0.0/0             MAC FA:16:3E:DF:19:1A
    0       0                        DROP          all           --          *      *         0.0.0.0/0                0.0.0.0/0

Chain neutron-linuxbri-xxxxxxxx-x (1 references)
 pkts   bytes                 target           prot     opt     in     out     source                     destination
    0       0                         RETURN     all           --         *      *         198.18.0.2              0.0.0.0/0             MAC FA:16:3E:45:B9:04
    0       0                         DROP          all           --          *      *         0.0.0.0/0                0.0.0.0/0

If the Windows 2k12 server returns anything other than 192.168.64.1 to
the instance for DHCP on the QA network the instance can no longer
communicate on the QA network.


How to reproduce:

1. Create VLAN network and subnet with gateway and DHCP disabled.
2. Setup external DHCP service separate from OpenStack on the same VLAN
3. Launch instance on OpenStack attached to the VLAN network


Versions:
  Neutron: 2:7.0.0-0ubuntu1~cloud0
  Distro: Ubuntu 14.04.3 LTS


Perceived severity: Show stopper - We are unable to use the infrastructure as required due to this bug and the only option right now is to disable neutron firewall drivers till the issue is resolved.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1531036

Title:
  Ip table rules for IP/MAC spoofing added when DHCP is disabled

Status in neutron:
  New

Bug description:
  When a network is created that has DHCP disabled Neutron still creates
  IP/MAC spoof rules to stop the wrong IP being used from a MAC address,
  the problem with this is that if DHCP is provided by an external
  source on the network that's not Neutron the wrong IP is added to the
  firewall and prevents the instance for being able to communicate.


  Example:

  Instance "net-test" is attached to two networks, Public & QA, Public
  provides DHCP to the instance via Neutron whilst QA network provides
  DHCP from Windows Server 2012 attached to the same VLAN.

  Neutron expects the instance to get 198.18.0.2 for its Public network
  interface and 198.18.64.1 for its QA network interface so it adds the
  following rules to IPTables:

  Chain neutron-linuxbri-xxxxxxxx-x (1 references)
   pkts   bytes                 target           prot     opt     in     out     source                     destination
      0       0                         RETURN     all           --         *      *         192.168.64.1         0.0.0.0/0             MAC FA:16:3E:DF:19:1A
      0       0                        DROP          all           --          *      *         0.0.0.0/0                0.0.0.0/0

  Chain neutron-linuxbri-xxxxxxxx-x (1 references)
   pkts   bytes                 target           prot     opt     in     out     source                     destination
      0       0                         RETURN     all           --         *      *         198.18.0.2              0.0.0.0/0             MAC FA:16:3E:45:B9:04
      0       0                         DROP          all           --          *      *         0.0.0.0/0                0.0.0.0/0

  If the Windows 2k12 server returns anything other than 192.168.64.1 to
  the instance for DHCP on the QA network the instance can no longer
  communicate on the QA network.


  How to reproduce:

  1. Create VLAN network and subnet with gateway and DHCP disabled.
  2. Setup external DHCP service separate from OpenStack on the same VLAN
  3. Launch instance on OpenStack attached to the VLAN network


  Versions:
    Neutron: 2:7.0.0-0ubuntu1~cloud0
    Distro: Ubuntu 14.04.3 LTS

  
  Perceived severity: Show stopper - We are unable to use the infrastructure as required due to this bug and the only option right now is to disable neutron firewall drivers till the issue is resolved.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1531036/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next