yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1838760] [NEW] Security groups don't work for trunk ports with iptables_hybrid fw driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <1838760@xxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Aug 2019 11:11:16 -0000
Reply-to: Bug 1838760 <1838760@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When iptables_hybrid firewall driver is used, security groups don't work
for trunk ports as vlan tagged packes on qbr bridge aren't filtered by
default at all.

I found it when I was trying to add new CI job
https://review.opendev.org/#/c/670738/ and I noticed that this job is
failing constantly on Queens release.

On Rocky and newer this new job is fine and the difference between those
jobs is firewall_driver - since rocky we are using openvswitch fw driver
instead of iptables_hybrid. I also confirmed locally that when I
switched firewall driver to openvswitch, same test worked fine for me.

I did some debugging on Queens release locally and it looks that flag
/proc/sys/net/bridge/bridge-nf-filter-vlan-tagged should be set to 1 to
make it possible to filter vlan tagged traffic in iptables, see
https://ebtables.netfilter.org/documentation/bridge-nf.html for details.

But even if this knob is switched to "1", there are probably bigger
changes required as vlan header which belongs to those packets should be
included in iptables rules to match on proper packets.

My test was done on stable/queens branch of neutron but I'm pretty sure
that the same issue exists still in master. We simply don't see it as we
are testing it with openvswitch fw driver.

** Affects: neutron
     Importance: High
         Status: Confirmed


** Tags: sg-fw trunk

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1838760

Title:
  Security groups don't work for trunk ports with iptables_hybrid fw
  driver

Status in neutron:
  Confirmed

Bug description:
  When iptables_hybrid firewall driver is used, security groups don't
  work for trunk ports as vlan tagged packes on qbr bridge aren't
  filtered by default at all.

  I found it when I was trying to add new CI job
  https://review.opendev.org/#/c/670738/ and I noticed that this job is
  failing constantly on Queens release.

  On Rocky and newer this new job is fine and the difference between
  those jobs is firewall_driver - since rocky we are using openvswitch
  fw driver instead of iptables_hybrid. I also confirmed locally that
  when I switched firewall driver to openvswitch, same test worked fine
  for me.

  I did some debugging on Queens release locally and it looks that flag
  /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged should be set to 1
  to make it possible to filter vlan tagged traffic in iptables, see
  https://ebtables.netfilter.org/documentation/bridge-nf.html for
  details.

  But even if this knob is switched to "1", there are probably bigger
  changes required as vlan header which belongs to those packets should
  be included in iptables rules to match on proper packets.

  My test was done on stable/queens branch of neutron but I'm pretty
  sure that the same issue exists still in master. We simply don't see
  it as we are testing it with openvswitch fw driver.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1838760/+subscriptions

Follow ups

[Bug 1838760] Re: Security groups don't work for trunk ports with iptables_hybrid fw driver
From: Bence Romsics, 2023-09-06