← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #83969

[Bug 1896587] [NEW] iptables firewall driver don't drops invalid packets which match some SG rule

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In case if there is e.g. SG rule which allows SCTP traffic defined by user, iptables firewall driver will match such traffic always, even if it's marked as INVALID by conntrack.
It is like that due to order of rules in iptables:

Chain neutron-openvswi-i0133d93d-e (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   61  5493 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
    2   728 RETURN     udp  --  *      *       0.0.0.0/0            10.0.0.55            udp spt:67 dpt:68
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            255.255.255.255      udp spt:67 dpt:68
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set NIPv408140248-6eff-4e0d-aadf- src
    0     0 RETURN     sctp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */


In case of openvswitch firewall driver it works properly, so INVALID packets are dropped even if they could match some SG rules.

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1896587

Title:
  iptables firewall driver don't drops invalid packets which match some
  SG rule

Status in neutron:
  New

Bug description:
  In case if there is e.g. SG rule which allows SCTP traffic defined by user, iptables firewall driver will match such traffic always, even if it's marked as INVALID by conntrack.
  It is like that due to order of rules in iptables:

  Chain neutron-openvswi-i0133d93d-e (1 references)
   pkts bytes target     prot opt in     out     source               destination         
     61  5493 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
      2   728 RETURN     udp  --  *      *       0.0.0.0/0            10.0.0.55            udp spt:67 dpt:68
      0     0 RETURN     udp  --  *      *       0.0.0.0/0            255.255.255.255      udp spt:67 dpt:68
      0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set NIPv408140248-6eff-4e0d-aadf- src
      0     0 RETURN     sctp --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
      0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

  
  In case of openvswitch firewall driver it works properly, so INVALID packets are dropped even if they could match some SG rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1896587/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next