yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81908
[Bug 1867119] [NEW] [security] Add allowed-address-pair 0.0.0.0/0 to one port will open all others' protocol under same security group
Public bug reported:
[security] Add allowed-address-pair 0.0.0.0/0 to one port will open all
others' protocol under same security group
When add allowed-address-pair 0.0.0.0/0 to one port, it will unexpectedly open all others' protocol under same security group. First found in stable/queens, but also confirmed in master branch.
IPv6 has the same problem!
Devstack test config:
[DEFAULT]
[l2pop]
[ml2]
type_drivers = flat,gre,vlan,vxlan
tenant_network_types = vxlan
extension_drivers = port_security,qos
mechanism_drivers = openvswitch,l2population
[ml2_type_vxlan]
vni_ranges = 10000:19999
[securitygroup]
firewall_driver = openvswitch
[ovs]
local_ip = 10.0.5.10
[agent]
tunnel_types = vxlan
l2_population = True
arp_responder = True
enable_distributed_routing = True
extensions = qos
Step to reproduce:
1. Assuming you have following VMs
| 24231705-ee79-4643-ae5a-9f0f7ff8f8ba | dvr-ha-vm-2 | ACTIVE | dvr-ha=192.168.30.44, 172.16.12.220 | cirros | nano |
| 4865d216-9f95-40bf-a6b4-221e3af06798 | dvr-ha-vm-1 | ACTIVE | dvr-ha=192.168.30.64, 172.16.13.52 | cirros | nano |
$ nova interface-list 4865d216-9f95-40bf-a6b4-221e3af06798
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| ACTIVE | b333b1ca-bb9a-41fd-a878-b524ffbc6d7a | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.64 | fa:16:3e:12:66:05 | - |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
$ nova interface-list 24231705-ee79-4643-ae5a-9f0f7ff8f8ba
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| ACTIVE | 93197f48-3fe4-47f4-9d15-ba8728c00409 | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.44 | fa:16:3e:14:ff:f1 | - |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
2. Security group rules
$ openstack security group rule list 535018b5-7038-46f2-8f0e-2a6e193788aa --long|grep ingress
| 01015261-0ca3-49ad-b033-bc2036a58e26 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None |
| 36441851-7bd2-4680-be43-2f8119b65040 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None |
| 8326f59e-cf26-4372-9913-30c71c036a2e | None | IPv6 | ::/0 | | ingress | 535018b5-7038-46f2-8f0e-2a6e193788aa |
| e47c6731-a0f7-42aa-8125-a9810e7b5a17 | None | IPv4 | 0.0.0.0/0 | | ingress | 535018b5-7038-46f2-8f0e-2a6e193788aa |
3. Start a nc test server in dvr-ha-vm-2
# nc -l -p 8000
4. Try to curl that dvr-ha-vm-2 port 8000 in the outside world
$ curl http://172.16.12.220:8000/index.html
curl: (7) Failed connect to 172.16.12.220:8000; Connection timed out
5. Add allowed address pair 0.0.0.0/0 to dvr-ha-vm-1
openstack port set --allowed-address ip-address=0.0.0.0/0 b333b1ca-bb9a-41fd-a878-b524ffbc6d7a
6. Try to curl that dvr-ha-vm-2 port 8000 again
It is connected!!!
# nc -l -p 8000
GET /index.html HTTP/1.1
User-Agent: curl/7.29.0
Host: 172.16.12.220:8000
Accept: */*
asdfasdf
asdfasdf
** Affects: neutron
Importance: Critical
Status: Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1867119
Title:
[security] Add allowed-address-pair 0.0.0.0/0 to one port will open
all others' protocol under same security group
Status in neutron:
Confirmed
Bug description:
[security] Add allowed-address-pair 0.0.0.0/0 to one port will open
all others' protocol under same security group
When add allowed-address-pair 0.0.0.0/0 to one port, it will unexpectedly open all others' protocol under same security group. First found in stable/queens, but also confirmed in master branch.
IPv6 has the same problem!
Devstack test config:
[DEFAULT]
[l2pop]
[ml2]
type_drivers = flat,gre,vlan,vxlan
tenant_network_types = vxlan
extension_drivers = port_security,qos
mechanism_drivers = openvswitch,l2population
[ml2_type_vxlan]
vni_ranges = 10000:19999
[securitygroup]
firewall_driver = openvswitch
[ovs]
local_ip = 10.0.5.10
[agent]
tunnel_types = vxlan
l2_population = True
arp_responder = True
enable_distributed_routing = True
extensions = qos
Step to reproduce:
1. Assuming you have following VMs
| 24231705-ee79-4643-ae5a-9f0f7ff8f8ba | dvr-ha-vm-2 | ACTIVE | dvr-ha=192.168.30.44, 172.16.12.220 | cirros | nano |
| 4865d216-9f95-40bf-a6b4-221e3af06798 | dvr-ha-vm-1 | ACTIVE | dvr-ha=192.168.30.64, 172.16.13.52 | cirros | nano |
$ nova interface-list 4865d216-9f95-40bf-a6b4-221e3af06798
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| ACTIVE | b333b1ca-bb9a-41fd-a878-b524ffbc6d7a | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.64 | fa:16:3e:12:66:05 | - |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
$ nova interface-list 24231705-ee79-4643-ae5a-9f0f7ff8f8ba
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
| ACTIVE | 93197f48-3fe4-47f4-9d15-ba8728c00409 | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.44 | fa:16:3e:14:ff:f1 | - |
+------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
2. Security group rules
$ openstack security group rule list 535018b5-7038-46f2-8f0e-2a6e193788aa --long|grep ingress
| 01015261-0ca3-49ad-b033-bc2036a58e26 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None |
| 36441851-7bd2-4680-be43-2f8119b65040 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None |
| 8326f59e-cf26-4372-9913-30c71c036a2e | None | IPv6 | ::/0 | | ingress | 535018b5-7038-46f2-8f0e-2a6e193788aa |
| e47c6731-a0f7-42aa-8125-a9810e7b5a17 | None | IPv4 | 0.0.0.0/0 | | ingress | 535018b5-7038-46f2-8f0e-2a6e193788aa |
3. Start a nc test server in dvr-ha-vm-2
# nc -l -p 8000
4. Try to curl that dvr-ha-vm-2 port 8000 in the outside world
$ curl http://172.16.12.220:8000/index.html
curl: (7) Failed connect to 172.16.12.220:8000; Connection timed out
5. Add allowed address pair 0.0.0.0/0 to dvr-ha-vm-1
openstack port set --allowed-address ip-address=0.0.0.0/0 b333b1ca-bb9a-41fd-a878-b524ffbc6d7a
6. Try to curl that dvr-ha-vm-2 port 8000 again
It is connected!!!
# nc -l -p 8000
GET /index.html HTTP/1.1
User-Agent: curl/7.29.0
Host: 172.16.12.220:8000
Accept: */*
asdfasdf
asdfasdf
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1867119/+subscriptions
Follow ups
