yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1743552] Re: iptables security group driver failed to apply when rule protocol is icmp/icmpv6 alias

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1743552@xxxxxxxxxxxxxxxxxx>
Date: Fri, 19 Jan 2018 14:37:31 -0000
Reply-to: Bug 1743552 <1743552@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/534263
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0efe1aec185365d8bd7a14ec5b812132d0f9e44d
Submitter: Zuul
Branch:    master

commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d
Author: Hunt Xu <mhuntxu@xxxxxxxxx>
Date:   Tue Jan 16 19:34:09 2018 +0800

    Fix _port_arg for security rules with icmp/ipv6-icmp aliases
    
    When a security group rule is created with icmp/ipv6-icmp alias such as
    protocol number 1(ICMP), 58(ICMPv6) or string icmpv6(legacy name for
    ipv6-icmp) as its protocol along with ICMP/ICMPv6 message type
    specified, _port_arg will generate a wrong str for iptables/ip6tables.
    
    Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
    Closes-Bug: #1743552


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1743552

Title:
  iptables security group driver failed to apply when rule protocol is
  icmp/icmpv6 alias

Status in neutron:
  Fix Released

Bug description:
  * Summary
  When a security group rule is created with protocol number 1, 58 or icmpv6, with port_range_min supplied as icmp-type. Iptables security group driver will fail to apply the rules.

  * Environment

  devstack + openvswitch-agent + securitygroup firewall_driver=iptables-
  hybrid

  * Step-by-step reproduction steps:
    1. Create a network and a subnet
    2. boot a VM in the network
    3. create a new security group rule as the followings in the SG of the VM's port:
      - openstack security group rule create --ethertype IPv4 --icmp-type 8 --icmp-code 0 --protocol 1 --ingress <SG_ID>
      - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol 58 --ingress <SG_ID>
      - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol icmpv6 --ingress <SG_ID>
    4. check neutron-openvswitch-agent's LOG

  * Expected output:
    - SG rules are successfully created and applied on the port without errors

   Actual output:
    - SG rules are successfully created
    - Errors in neutron-openvswitch-agent's LOG about iptables/ip6tables failed to apply
    - Wrong iptables/ip6tables rule is generated:
      - "Stderr: iptables-restore v1.6.1: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"
      - -I neutron-openvswi-if1905f5e-9 5 -p icmp -m icmp -m multiport --dports 8:0 -j RETURN
      - -I neutron-openvswi-if1905f5e-9 8 -p ipv6-icmp -m icmp6 -m multiport --dports 128:0 -j RETURN

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1743552/+subscriptions

References

[Bug 1743552] [NEW] iptables security group driver failed to apply when rule protocol is icmp/icmpv6 alias
From: Hunt Xu, 2018-01-16