yahoo-eng-team team mailing list archive

[OpenStack Infra <1749667@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/545091
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b564871bb759a38cf96527f94e7c7d4cc760b1c9
Submitter: Zuul
Branch:    master

commit b564871bb759a38cf96527f94e7c7d4cc760b1c9
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date:   Thu Feb 15 13:57:32 2018 -0500

    Only allow SG port ranges for whitelisted protocols
    
    Iptables only supports port-ranges for certain protocols,
    others will generate failures, possibly leaving the agent
    looping trying to apply rules.  Change to not allow port
    ranges outside of the list of known good protocols.
    
    Change-Id: I5867f77fc5aedc169b42f50def0424ff209c164c
    Closes-bug: #1749667


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1749667

Title:
  neutron doesn't correctly handle unknown protocols and should
  whitelist known and handled protocols

Status in neutron:
  Fix Released

Bug description:
  We have had problems with openvswitch agent continuously restarting
  and never actually completing setup because of this:

  # Completed by iptables_manager
  ; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
  Error occurred at line: 83
  Try `iptables-restore -h' or 'iptables-restore --help' for more information.

      83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
  ---

  Someone has managed to inject a rule that is, effectively, a DoS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1749667/+subscriptions