yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #65194
[Bug 1699613] [NEW] LBaaS v2 agent security groups not filtering
Public bug reported:
Greetings:
Current environment details:
- Mitaka with LBaaS v2 agent configured.
- Deployed via Openstack Ansible
- Neutron Linuxbridge
- Ubuntu 14.04.5 LTS
We had followed documentation at https://docs.openstack.org/mitaka
/networking-guide/config-lbaas.html to secure traffic to the VIP.
We created two security groups.
1) SG-allowToVIP: We didn't want to open it globally, so we limited ingress HTTP access to certain IPs. This SG was applied to VIP port.
2) SG-allowLB: ingress HTTP from the VIP address. This SG was applied to the pool member(s). The idea behind this was web server (load-balanced pool member) will always see traffic from the VIP.
End result is/was we can access the VIP from any source IP and any rule
applied to the security group (SG-allowToVIP) is ignored.
We have verified the following:
- Appropriate SG is applied properly to each port
- When we look at the iptables-save for the VIP port, we are seeing the rules originating from the SG but they are not working.
- When we look at the iptables-save for the pool-member(s), we are seeing the rules originating from the SG and they are working.
The only time we were able to block traffic to the VIP was to edit the
iptables rules for the LBaaS agent which is not practical obviously, but
we were just experimenting.
I will provide detailed output - after I clean it up.
Thanks in advance
Luke
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1699613
Title:
LBaaS v2 agent security groups not filtering
Status in neutron:
New
Bug description:
Greetings:
Current environment details:
- Mitaka with LBaaS v2 agent configured.
- Deployed via Openstack Ansible
- Neutron Linuxbridge
- Ubuntu 14.04.5 LTS
We had followed documentation at https://docs.openstack.org/mitaka
/networking-guide/config-lbaas.html to secure traffic to the VIP.
We created two security groups.
1) SG-allowToVIP: We didn't want to open it globally, so we limited ingress HTTP access to certain IPs. This SG was applied to VIP port.
2) SG-allowLB: ingress HTTP from the VIP address. This SG was applied to the pool member(s). The idea behind this was web server (load-balanced pool member) will always see traffic from the VIP.
End result is/was we can access the VIP from any source IP and any
rule applied to the security group (SG-allowToVIP) is ignored.
We have verified the following:
- Appropriate SG is applied properly to each port
- When we look at the iptables-save for the VIP port, we are seeing the rules originating from the SG but they are not working.
- When we look at the iptables-save for the pool-member(s), we are seeing the rules originating from the SG and they are working.
The only time we were able to block traffic to the VIP was to edit the
iptables rules for the LBaaS agent which is not practical obviously,
but we were just experimenting.
I will provide detailed output - after I clean it up.
Thanks in advance
Luke
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1699613/+subscriptions
Follow ups