yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1834825] [NEW] Rule to prevent SNAT for router's internal traffic is wrong

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <1834825@xxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Jul 2019 07:32:51 -0000
Reply-to: Bug 1834825 <1834825@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Rule created router's namespace in https://github.com/openstack/neutron/blob/master/neutron/agent/l3/router_info.py#L884 tries to match for both input and output interface.
However netfilter postrouting hooks don't provide the input interface. This is not new and common
between iptables and nftables. The difference is how the match behaves in this
situation: with iptables, the comparison simply happens against an empty string.
With nftables though, rule processing aborts due to no data to compare against -
the rule doesn't match. The inverted match exposes the difference as for
iptables, the result is always true while for nftables it is always false.

That cause problem with nftables based implementation which is used e.g.
in RHEL8 now. Problem there is that internal traffic between 2 networks
connected to same router is SNAT'ed always as this rule never match for
any packet.

So input interface check in postrouting chain is not effective and never
was - even with legacy iptables (e.g. in RHEL7) and can be simply
dropped from this rule.

** Affects: neutron
Importance: Medium
Assignee: Slawek Kaplonski (slaweq)
Status: Confirmed

** Tags: l3-dvr-backlog

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1834825

Title:
Rule to prevent SNAT for router's internal traffic is wrong

Status in neutron:
Confirmed

Bug description:
Rule created router's namespace in https://github.com/openstack/neutron/blob/master/neutron/agent/l3/router_info.py#L884 tries to match for both input and output interface.
However netfilter postrouting hooks don't provide the input interface. This is not new and common
between iptables and nftables. The difference is how the match behaves in this
situation: with iptables, the comparison simply happens against an empty string.
With nftables though, rule processing aborts due to no data to compare against -
the rule doesn't match. The inverted match exposes the difference as for
iptables, the result is always true while for nftables it is always false.

That cause problem with nftables based implementation which is used
e.g. in RHEL8 now. Problem there is that internal traffic between 2
networks connected to same router is SNAT'ed always as this rule never
match for any packet.

So input interface check in postrouting chain is not effective and
never was - even with legacy iptables (e.g. in RHEL7) and can be
simply dropped from this rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1834825/+subscriptions

Follow ups

[Bug 1834825] Re: Rule to prevent SNAT for router's internal traffic is wrong
From: OpenStack Infra, 2019-07-02