yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1531036] Re: Ip table rules for IP/MAC spoofing added when DHCP is disabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Soumiyajit <soumiyajit@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Mar 2016 10:01:26 -0000
Reply-to: Bug 1531036 <1531036@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: New => Confirmed

** Changed in: neutron
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1531036

Title:
  Ip table rules for IP/MAC spoofing added when DHCP is disabled

Status in neutron:
  Opinion

Bug description:
  When a network is created that has DHCP disabled Neutron still creates
  IP/MAC spoof rules to stop the wrong IP being used from a MAC address,
  the problem with this is that if DHCP is provided by an external
  source on the network that's not Neutron the wrong IP is added to the
  firewall and prevents the instance for being able to communicate.


  Example:

  Instance "net-test" is attached to two networks, Public & QA, Public
  provides DHCP to the instance via Neutron whilst QA network provides
  DHCP from Windows Server 2012 attached to the same VLAN.

  Neutron expects the instance to get 198.18.0.2 for its Public network
  interface and 198.18.64.1 for its QA network interface so it adds the
  following rules to IPTables:

  Chain neutron-linuxbri-xxxxxxxx-x (1 references)
   pkts   bytes                 target           prot     opt     in     out     source                     destination
      0       0                         RETURN     all           --         *      *         192.168.64.1         0.0.0.0/0             MAC FA:16:3E:DF:19:1A
      0       0                        DROP          all           --          *      *         0.0.0.0/0                0.0.0.0/0

  Chain neutron-linuxbri-xxxxxxxx-x (1 references)
   pkts   bytes                 target           prot     opt     in     out     source                     destination
      0       0                         RETURN     all           --         *      *         198.18.0.2              0.0.0.0/0             MAC FA:16:3E:45:B9:04
      0       0                         DROP          all           --          *      *         0.0.0.0/0                0.0.0.0/0

  If the Windows 2k12 server returns anything other than 192.168.64.1 to
  the instance for DHCP on the QA network the instance can no longer
  communicate on the QA network.


  How to reproduce:

  1. Create VLAN network and subnet with gateway and DHCP disabled.
  2. Setup external DHCP service separate from OpenStack on the same VLAN
  3. Launch instance on OpenStack attached to the VLAN network


  Versions:
    Neutron: 2:7.0.0-0ubuntu1~cloud0
    Distro: Ubuntu 14.04.3 LTS

  
  Perceived severity: Show stopper - We are unable to use the infrastructure as required due to this bug and the only option right now is to disable neutron firewall drivers till the issue is resolved.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1531036/+subscriptions

References

[Bug 1531036] [NEW] Ip table rules for IP/MAC spoofing added when DHCP is disabled
From: Liam Haworth, 2016-01-05