yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #72881
[Bug 1736739] Re: Machines attached to isolated network are able to reach VMs attached to other networks
This has been fixed by https://review.openstack.org/#/c/385085
I tested the described scenario and I couldn't see ICMP traffic on port of private machine. I reverted the mentioned patch and I'm able to see
[root@compute ~]# tcpdump -s0 -e -nnvvi tap59d5b819-88
tcpdump: listening on tap59d5b819-88, link-type EN10MB (Ethernet), capture size 262144 bytes
10:41:49.917436 fa:16:3e:55:0a:07 > fa:16:3e:e9:f2:03, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58955, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.134.7 > 10.0.0.9: ICMP echo request, id 34305, seq 1751, length 64
10:41:49.917713 fa:16:3e:e9:f2:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.9, length 28
10:41:50.917342 fa:16:3e:e9:f2:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.9, length 28
10:41:50.917799 fa:16:3e:55:0a:07 > fa:16:3e:e9:f2:03, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59088, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.134.7 > 10.0.0.9: ICMP echo request, id 34305, seq 1752, length 64
10:41:51.917444 fa:16:3e:e9:f2:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.9, length 28
10:41:51.918230 fa:16:3e:55:0a:07 > fa:16:3e:e9:f2:03, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59106, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.134.7 > 10.0.0.9: ICMP echo request, id 34305, seq 1753, length 64
** Changed in: neutron
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1736739
Title:
Machines attached to isolated network are able to reach VMs attached
to other networks
Status in neutron:
Fix Released
Bug description:
Machines attached to isolated network are able to reach VMs attached to other networks.
This behavior was observed using Symnet - the symbolic network analysis engine.
Pre-conditions: devstack latest version (at the time of writing) + all
services latest versions on ubuntu 16.04
Steps to reproduce:
Contents of local.conf:
[[local|localrc]]
ADMIN_PASSWORD=stack
DATABASE_PASSWORD=stack
RABBIT_PASSWORD=stack
RABBIT_HOST=localhost
SERVICE_PASSWORD=$ADMIN_PASSWORD
HOST_IP=192.168.154.23
IP_VERSION=4
LOGFILE=$DEST/logs/stack.sh.log
LOGDAYS=2
MYSQL_PASSWORD=stack
DATABASE_TYPE=mysql
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = router,trunk
[[post-config|/$Q_PLUGIN_CONF_FILE]]
[securitygroup]
firewall_driver = openvswitch
After stack.sh finishes operation (note that devstack creates networks
public and private and a router to connect them).
source openrc admin demo
openstack server create --network private --image cirros-0.3.5-x86_64-disk --flavor m1.nano private
openstack network create isolated
openstack subnet create --network isolated --subnet-range 192.168.134.0/24 isolated
openstack server create --network isolated --image cirros-0.3.5-x86_64-disk --flavor m1.nano isolated
openstack port list --server private
// get MAC and IP of private server
openstack port list --server isolated
// get MAC and IP of isolated server
Log into isolated and create an ARP entry for private machine:
sudo ip route add 10.0.0.0/26 dev eth0 src <isolated_ip>
arp -s <private_ip> <private_mac>
ping <private_ip>
Back to the devstack machine:
sudo tcpdump -e -vv -i tap<private_port_id>
// notice the ICMP traffic originating from isolated towards private
Expected output: No traffic can get from the isolated VM to the private VM.
Actual output: Traffic from the isolated machine reaches the private virtual machine even though they are not connected via any router.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1736739/+subscriptions
References
