yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1544458] Re: SCTP packets from VM are not NATed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1544458@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Feb 2017 04:21:27 -0000
Reply-to: Bug 1544458 <1544458@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1544458

Title:
  SCTP packets from VM are not NATed

Status in neutron:
  Expired

Bug description:
  We should add sanity check for sctp modules, as mentioned by Balaji:
  https://highon.coffee/blog/security-harden-centos-7/

  ==========================================
  Disable Uncommon Protocols

  The following Protocols will be disabled:

      Datagram Congestion Control Protocol (DCCP)
      Stream Control Transmission Protocol (SCTP)
      Reliable Datagram Sockets (RDS)
      Transparent Inter-Process Communication (TIPC)
  ==========================================

  Details below:
  ----------------------------------------------------------------

  We have installed kilo release

  [root@sienna ~]# uname -a
  Linux sienna 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  [root@sienna ~]# cat /etc/os-release
  NAME="CentOS Linux"
  VERSION="7 (Core)"
  ID="centos"
  ID_LIKE="rhel fedora"
  VERSION_ID="7"

  [root@sienna ~]# openstack --version
  openstack 1.0.3
  [root@sienna ~]# neutron --version
  2.4.0
  [root@sienna ~]# nova --version
  2.23.0

  After installing kilo release, we found that SCTP packets VM were being dropped at the host.
  Found that this was a known issue https://bugs.launchpad.net/neutron/+bug/1460741 and downloaded the neutron patch
  neutron 2015.1.2 and applied the same.

  After that the SCTP packets from VM were transmitted from the host.
  But with the private IP Address (192.168.x.x) without SNAT being
  performed.

  SNAT is being done for UDP packets though.

  only SCTP packets are sent out with private IP Addresses.

  Please confirm whether this is a known issue and any fix/patch
  available for this in Neutron for Kilo release.

  Thank you
  Balaji Srinivasan

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1544458/+subscriptions

References

[Bug 1544458] [NEW] SCTP packets from VM are not NATed
From: BALAJI SRINIVASAN, 2016-02-11