yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61104
[Bug 1549443] Re: Port Security does not consistently update nova iptables
Reviewed: https://review.openstack.org/421832
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a8b6a597b6aab7cd3b0a5d0c3baad75af395fe1d
Submitter: Jenkins
Branch: master
commit a8b6a597b6aab7cd3b0a5d0c3baad75af395fe1d
Author: Bernard Cafarelli <bcafarel@xxxxxxxxxx>
Date: Thu Jan 19 14:14:12 2017 +0100
Revert "Setup firewall filters only for required ports"
This reverts commit 75edc1ff28a460342a9b5e5b7d63c6f4fb59862d.
Ports with port security disabled require firewall entries in
neutron-openvswi-FORWARD chain to work properly.
Ports created with no security groups will not get skipped with current
code.
With fixed security groups check, these ports' security groups can not
be updated after creation.
Change-Id: I95ddbe38d8ac8a927a860a98f54e41e17fb71d43
Closes-Bug: #1549443
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1549443
Title:
Port Security does not consistently update nova iptables
Status in neutron:
Fix Released
Bug description:
I have created a network with port security set to enabled. I have
set --no-security-group and --port_security_enabled=False on the port
however the iptables on the hypervisor is not consistently set.
I have 2 VM on this hypervisors:
VM1:
tap0cc26c65-d1
VM2:
tap672dbe42-10
Dump of iptables save:
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-INPUT -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o85e24fb1-6
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o1fe43774-e
-A neutron-openvswi-INPUT -m physdev --physdev-in tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-i1fe43774-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i1fe43774-e -s 10.1.51.1/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-i1fe43774-e -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i1fe43774-e -p udp -m udp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i1fe43774-e -m set --match-set NIPv4a5bf8991-231c-43db-9dd0- src -j RETURN
-A neutron-openvswi-i1fe43774-e -p icmp -j RETURN
-A neutron-openvswi-i1fe43774-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i1fe43774-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i85e24fb1-6 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i85e24fb1-6 -s 10.1.51.1/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p udp -m udp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -m set --match-set NIPv4a5bf8991-231c-43db-9dd0- src -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p icmp -j RETURN
-A neutron-openvswi-i85e24fb1-6 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i85e24fb1-6 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o1fe43774-e -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o1fe43774-e -j neutron-openvswi-s1fe43774-e
-A neutron-openvswi-o1fe43774-e -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o1fe43774-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o1fe43774-e -j RETURN
-A neutron-openvswi-o1fe43774-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o1fe43774-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o85e24fb1-6 -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o85e24fb1-6 -j neutron-openvswi-s85e24fb1-6
-A neutron-openvswi-o85e24fb1-6 -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o85e24fb1-6 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o85e24fb1-6 -j RETURN
-A neutron-openvswi-o85e24fb1-6 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o85e24fb1-6 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s1fe43774-e -s 10.1.50.200/32 -m mac --mac-source FA:16:3E:05:6F:A4 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s1fe43774-e -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-s85e24fb1-6 -s 10.1.50.201/32 -m mac --mac-source FA:16:3E:73:89:67 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s85e24fb1-6 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i85e24fb1-6
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o85e24fb1-6
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe43774-ef --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i1fe43774-e
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o1fe43774-e
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
VM1 passes traffic just fine, VM2 does not because no rule is added.
I manually added these rules and traffic passes just fine:
iptables -A neutron-openvswi-INPUT -m physdev --physdev-in tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
iptables -A neutron-openvswi-FORWARD -m physdev --physdev-out tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
iptables -A neutron-openvswi-FORWARD -m physdev --physdev-in tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
Here are the port-show for each:
root@xxxxxxxxxxxxxxxxxxxxxx.cin1 > neutron port-show 672dbe42-10bb-4196-80ad-70a81488ad51
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | osc-1031.prd.cin1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| device_id | f4037cdd-e1ab-4e84-88e0-ef94f1b95b39 |
| device_owner | compute:None |
| dns_assignment | {"hostname": "host-8XXXXXX", "ip_address": "8.XXXXXX, "fqdn": "host-8-XXXXX.openstacklocal."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "b3409c40-d6e2-461a-8722-8e5e52624d52", "ip_address": "8.XXXXX"} |
| id | 672dbe42-10bb-4196-80ad-70a81488ad51 |
| mac_address | fa:16:3e:4a:18:df |
| name | |
| network_id | 0270175b-6c53-40ca-bb9e-22e2635cdaeb |
| port_security_enabled | False |
| security_groups | |
| status | ACTIVE |
| tenant_id | 42858ac565df4bf8aec64f871fe7e955 |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
root@xxxxxxxxxxxxxxxxxxxxxx.cin1 > neutron port-show 0cc26c65-d1d7-45b1-a974-43fafc28a1ec
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | osc-1031.prd.cin1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| device_id | 1bf1e985-d317-4a7c-81c5-4dc32c889274 |
| device_owner | compute:zone1 |
| dns_assignment | {"hostname": "host-8-XXXXXXX2", "ip_address": "8.XXXXXX", "fqdn": "host-8XXXXXX.openstacklocal."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "b3409c40-d6e2-461a-8722-8e5e52624d52", "ip_address": "8.XXXXXXX"} |
| id | 0cc26c65-d1d7-45b1-a974-43fafc28a1ec |
| mac_address | fa:16:3e:4a:ab:45 |
| name | |
| network_id | 0270175b-6c53-40ca-bb9e-22e2635cdaeb |
| port_security_enabled | False |
| security_groups | |
| status | ACTIVE |
| tenant_id | 42858ac565df4bf8aec64f871fe7e955 |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1549443/+subscriptions
References
