yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1867119] Re: [security] Add allowed-address-pair 0.0.0.0/0 to one port will open all others' protocol under same security group

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: LIU Yulong <yulong@xxxxxxxxxxxxx>
Date: Thu, 12 Mar 2020 10:04:26 -0000
Reply-to: Bug 1867119 <1867119@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** This bug is no longer a duplicate of bug 1793029
   adding 0.0.0.0/0 address pair to a port  bypasses all other vm security groups

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1867119

Title:
  [security] Add allowed-address-pair 0.0.0.0/0 to one port will open
  all others' protocol under same security group

Status in neutron:
  In Progress

Bug description:
  [security] Add allowed-address-pair 0.0.0.0/0 to one port will open
  all others' protocol under same security group

  When add allowed-address-pair 0.0.0.0/0 to one port, it will unexpectedly open all others' protocol under same security group. First found in stable/queens, but also confirmed in master branch.
  IPv6 has the same problem!

  Devstack test config:
  [DEFAULT]
  [l2pop]
  [ml2]
  type_drivers = flat,gre,vlan,vxlan
  tenant_network_types = vxlan
  extension_drivers = port_security,qos
  mechanism_drivers = openvswitch,l2population

  [ml2_type_vxlan]
  vni_ranges = 10000:19999

  [securitygroup]
  firewall_driver = openvswitch
  [ovs]
  local_ip = 10.0.5.10

  [agent]
  tunnel_types = vxlan
  l2_population = True
  arp_responder = True
  enable_distributed_routing = True
  extensions = qos

  
  Step to reproduce:
  1. Assuming you have following VMs
  | 24231705-ee79-4643-ae5a-9f0f7ff8f8ba | dvr-ha-vm-2      | ACTIVE | dvr-ha=192.168.30.44, 172.16.12.220  | cirros | nano   |
  | 4865d216-9f95-40bf-a6b4-221e3af06798 | dvr-ha-vm-1      | ACTIVE | dvr-ha=192.168.30.64, 172.16.13.52   | cirros | nano   |

  $ nova interface-list 4865d216-9f95-40bf-a6b4-221e3af06798
  +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
  | Port State | Port ID                              | Net ID                               | IP addresses  | MAC Addr          | Tag |
  +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
  | ACTIVE     | b333b1ca-bb9a-41fd-a878-b524ffbc6d7a | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.64 | fa:16:3e:12:66:05 | -   |
  +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
  $ nova interface-list 24231705-ee79-4643-ae5a-9f0f7ff8f8ba
  +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
  | Port State | Port ID                              | Net ID                               | IP addresses  | MAC Addr          | Tag |
  +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+
  | ACTIVE     | 93197f48-3fe4-47f4-9d15-ba8728c00409 | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.44 | fa:16:3e:14:ff:f1 | -   |
  +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+

  2. Security group rules
  $ openstack security group rule list 535018b5-7038-46f2-8f0e-2a6e193788aa --long|grep ingress
  | 01015261-0ca3-49ad-b033-bc2036a58e26 | tcp         | IPv4      | 0.0.0.0/0 | 22:22      | ingress   | None                                 |
  | 36441851-7bd2-4680-be43-2f8119b65040 | icmp        | IPv4      | 0.0.0.0/0 |            | ingress   | None                                 |
  | 8326f59e-cf26-4372-9913-30c71c036a2e | None        | IPv6      | ::/0      |            | ingress   | 535018b5-7038-46f2-8f0e-2a6e193788aa |
  | e47c6731-a0f7-42aa-8125-a9810e7b5a17 | None        | IPv4      | 0.0.0.0/0 |            | ingress   | 535018b5-7038-46f2-8f0e-2a6e193788aa |

  3. Start a nc test server in dvr-ha-vm-2
  # nc -l -p 8000

  4. Try to curl that dvr-ha-vm-2 port 8000 in the outside world
  $ curl http://172.16.12.220:8000/index.html
  curl: (7) Failed connect to 172.16.12.220:8000; Connection timed out

  5. Add allowed address pair 0.0.0.0/0 to dvr-ha-vm-1
  openstack port set  --allowed-address ip-address=0.0.0.0/0  b333b1ca-bb9a-41fd-a878-b524ffbc6d7a

  6. Try to curl that dvr-ha-vm-2 port 8000 again
  It is connected!!!

  # nc -l -p 8000 
  GET /index.html HTTP/1.1
  User-Agent: curl/7.29.0
  Host: 172.16.12.220:8000
  Accept: */*

  asdfasdf
  asdfasdf

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1867119/+subscriptions

References

[Bug 1867119] [NEW] [security] Add allowed-address-pair 0.0.0.0/0 to one port will open all others' protocol under same security group
From: LIU Yulong, 2020-03-12