yahoo-eng-team team mailing list archive

[Luke Yildirim <1699613@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Greetings:

Current environment details:

- Mitaka with LBaaS v2 agent configured.
- Deployed via Openstack Ansible
- Neutron Linuxbridge
- Ubuntu 14.04.5 LTS

We had followed documentation at https://docs.openstack.org/mitaka
/networking-guide/config-lbaas.html to secure traffic to the VIP.

We created two security groups.

1) SG-allowToVIP: We didn't want to open it globally, so we limited ingress HTTP access to certain IPs. This SG was applied to VIP port.
2) SG-allowLB: ingress HTTP from the VIP address. This SG was applied to the pool member(s). The idea behind this was web server (load-balanced pool member) will always see traffic from the VIP.

End result is/was we can access the VIP from any source IP and any rule
applied to the security group (SG-allowToVIP) is ignored.

We have verified the following:
- Appropriate SG is applied properly to each port
- When we look at the iptables-save for the VIP port, we are seeing the rules originating from the SG but they are not working.
- When we look at the iptables-save for the pool-member(s), we are seeing the rules originating from the SG and they are working.

The only time we were able to block traffic to the VIP was to edit the
iptables rules for the LBaaS agent which is not practical obviously, but
we were just experimenting.

I will provide detailed output - after I clean it up.

Thanks in advance

Luke

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1699613

Title:
  LBaaS v2 agent security groups not filtering

Status in neutron:
  New

Bug description:
  Greetings:

  Current environment details:

  - Mitaka with LBaaS v2 agent configured.
  - Deployed via Openstack Ansible
  - Neutron Linuxbridge
  - Ubuntu 14.04.5 LTS

  We had followed documentation at https://docs.openstack.org/mitaka
  /networking-guide/config-lbaas.html to secure traffic to the VIP.

  We created two security groups.

  1) SG-allowToVIP: We didn't want to open it globally, so we limited ingress HTTP access to certain IPs. This SG was applied to VIP port.
  2) SG-allowLB: ingress HTTP from the VIP address. This SG was applied to the pool member(s). The idea behind this was web server (load-balanced pool member) will always see traffic from the VIP.

  End result is/was we can access the VIP from any source IP and any
  rule applied to the security group (SG-allowToVIP) is ignored.

  We have verified the following:
  - Appropriate SG is applied properly to each port
  - When we look at the iptables-save for the VIP port, we are seeing the rules originating from the SG but they are not working.
  - When we look at the iptables-save for the pool-member(s), we are seeing the rules originating from the SG and they are working.

  The only time we were able to block traffic to the VIP was to edit the
  iptables rules for the LBaaS agent which is not practical obviously,
  but we were just experimenting.

  I will provide detailed output - after I clean it up.

  Thanks in advance

  Luke

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1699613/+subscriptions