yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1736674] Re: sg rules are sometimes not applied

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Wed, 06 Dec 2017 08:27:53 -0000
Reply-to: Bug 1736674 <1736674@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

** Also affects: ossa
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1736674

Title:
  sg rules are sometimes not applied

Status in neutron:
  New
Status in OpenStack Security Advisory:
  New

Bug description:
  Failure of negative test in gate:

  http://logs.openstack.org/19/523319/5/check/neutron-tempest-plugin-
  scenario-linuxbridge/47b85c6/job-
  output.txt.gz#_2017-12-01_23_09_02_843619

  Reproducing locally with a debug patch, I see that iptables_manager
  first applies the correct rules and then removes them again
  immediately after that, see http://paste.openstack.org/show/628245/

  Steps to reproduce (taken from
  neutron_tempest_plugin.scenario.test_security_groups.NetworkDefaultSecGroupTest.test_ip_prefix_negative,
  possibly not minimal):

  - create two security groups
  - add ssh access to first, icmp access to second one
  - create an instance with these two security groups applied
  - run iptables-save and discover no rules applied to the instance

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1736674/+subscriptions