← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1799885] [NEW] [FWaaS]Firewall rule for fip's DNAT traffic, destination address should be this fip

 

Public bug reported:

Bug description:
When we write a firewall group rule which limit fip's DNAT traffic, for example we want to accept the traffic into a VM binding a fip, the rule's destination address should be VM's intranet IP address (not fip IP address) currently.
However if we associate this fip to other VM, the before firewall group rule will be wrong because we just want to restrict the traffic into this fip. We have to change the firewall group rule's destination address to another VM 's intranet IP.
So everytime we change fip association, we should change firewall group rule's destination address.


Analysis:
Iptables process DNAT on PREROUTING chain in nat table, which process before FORWARD chain in filter table.
So if we write a firewall rule to limit fip's DNAT traffic , the destination address must be a intranet IP.
Essentially, if we want to write a firewall group rule to limit a IP's the DNAT traffic, we can only limit a intranet IP address, not a fip's IP address.


Scenario:
We want to access the traffic to a fip's (166.166.166.5) 80 port:
1.Associate a fip 166.166.166.5 on a VM(intranet IP:192.168.1.10)
2.create a firewall group, policy and rule
3.associate the fwg to router(0cbd237f-358a-4c27-8047-c50e1f7201e7)

[root@vm ~]# openstack firewall group rule show 055af78e-ef12-4225-8236-8ef703026aad
+------------------------+-------------------------------------------+
| Field                  | Value                                     |
+------------------------+-------------------------------------------+
| Action                 | allow                                     |
| Description            |                                           |
| Destination IP Address | 192.168.1.10                              |
| Destination Port       | 80                                        |
| Enabled                | True                                      |
| ID                     | 055af78e-ef12-4225-8236-8ef703026aad      |
| IP Version             | 4                                         |
| Name                   | in-192.168.1.10-80-allow                  |
| Project                | 9355437b66f64e8999e30978a7b3c33c          |
| Protocol               | tcp                                       |
| Shared                 | False                                     |
| Source IP Address      | None                                      |
| Source Port            | None                                      |
| firewall_policy_id     | [u'3996f090-8e8d-48c5-a3de-4ba2c88ff935'] |
| project_id             | 9355437b66f64e8999e30978a7b3c33c          |
+------------------------+-------------------------------------------+
#3996f090-8e8d-48c5-a3de-4ba2c88ff935 is ingress policy

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80 -j ACCEPT

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -t nat -S
-A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination 192.168.1.10

4.Associate the fip 166.166.166.5 to another VM(intranet
IP:192.168.1.11)

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80 -j ACCEPT

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -t nat -S
-A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination 192.168.1.11

5.This firewall rule lose efficacy

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1799885

Title:
  [FWaaS]Firewall rule for fip's DNAT traffic, destination address
  should be this fip

Status in neutron:
  New

Bug description:
  Bug description:
  When we write a firewall group rule which limit fip's DNAT traffic, for example we want to accept the traffic into a VM binding a fip, the rule's destination address should be VM's intranet IP address (not fip IP address) currently.
  However if we associate this fip to other VM, the before firewall group rule will be wrong because we just want to restrict the traffic into this fip. We have to change the firewall group rule's destination address to another VM 's intranet IP.
  So everytime we change fip association, we should change firewall group rule's destination address.


  Analysis:
  Iptables process DNAT on PREROUTING chain in nat table, which process before FORWARD chain in filter table.
  So if we write a firewall rule to limit fip's DNAT traffic , the destination address must be a intranet IP.
  Essentially, if we want to write a firewall group rule to limit a IP's the DNAT traffic, we can only limit a intranet IP address, not a fip's IP address.

  
  Scenario:
  We want to access the traffic to a fip's (166.166.166.5) 80 port:
  1.Associate a fip 166.166.166.5 on a VM(intranet IP:192.168.1.10)
  2.create a firewall group, policy and rule
  3.associate the fwg to router(0cbd237f-358a-4c27-8047-c50e1f7201e7)

  [root@vm ~]# openstack firewall group rule show 055af78e-ef12-4225-8236-8ef703026aad
  +------------------------+-------------------------------------------+
  | Field                  | Value                                     |
  +------------------------+-------------------------------------------+
  | Action                 | allow                                     |
  | Description            |                                           |
  | Destination IP Address | 192.168.1.10                              |
  | Destination Port       | 80                                        |
  | Enabled                | True                                      |
  | ID                     | 055af78e-ef12-4225-8236-8ef703026aad      |
  | IP Version             | 4                                         |
  | Name                   | in-192.168.1.10-80-allow                  |
  | Project                | 9355437b66f64e8999e30978a7b3c33c          |
  | Protocol               | tcp                                       |
  | Shared                 | False                                     |
  | Source IP Address      | None                                      |
  | Source Port            | None                                      |
  | firewall_policy_id     | [u'3996f090-8e8d-48c5-a3de-4ba2c88ff935'] |
  | project_id             | 9355437b66f64e8999e30978a7b3c33c          |
  +------------------------+-------------------------------------------+
  #3996f090-8e8d-48c5-a3de-4ba2c88ff935 is ingress policy

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80 -j ACCEPT

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -t nat -S
  -A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination 192.168.1.10

  4.Associate the fip 166.166.166.5 to another VM(intranet
  IP:192.168.1.11)

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
  -A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80 -j ACCEPT

  [root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -t nat -S
  -A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination 192.168.1.11

  5.This firewall rule lose efficacy

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1799885/+subscriptions


Follow ups