yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2015449] [NEW] Remote security groups don't allow traffic from floating IPs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Oswick <2015449@xxxxxxxxxxxxxxxxxx>
Date: Thu, 06 Apr 2023 07:33:27 -0000
Reply-to: Bug 2015449 <2015449@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Description
-----------
When a floating IP is attached to a VM, traffic destined for other nodes appears as coming from the floating IP rather than the fixed IP. However, the ipsets created for remote security group rules do not include the floating IP address meaning it is blocked.


Preconditions
-------------
- DVR is enabled


Reproduction steps
------------------
- Create a security group which allows traffic from other members of this security group
- Create two VMs with the aforementioned SG attached
- Ensure traffic from the two VMs can reach each other
- Create a floating IP and attach it to one of the VMs


Expected output
---------------
Traffic from the VM with the FIP attached can reach the other VM


Actual output
-------------
Traffic from the VM with the FIP attached cannot reach the other VM


Version
-------
Openstack Zed

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2015449

Title:
  Remote security groups don't allow traffic from floating IPs

Status in neutron:
  New

Bug description:
  Description
  -----------
  When a floating IP is attached to a VM, traffic destined for other nodes appears as coming from the floating IP rather than the fixed IP. However, the ipsets created for remote security group rules do not include the floating IP address meaning it is blocked.

  
  Preconditions
  -------------
  - DVR is enabled

  
  Reproduction steps
  ------------------
  - Create a security group which allows traffic from other members of this security group
  - Create two VMs with the aforementioned SG attached
  - Ensure traffic from the two VMs can reach each other
  - Create a floating IP and attach it to one of the VMs

  
  Expected output
  ---------------
  Traffic from the VM with the FIP attached can reach the other VM

  
  Actual output
  -------------
  Traffic from the VM with the FIP attached cannot reach the other VM

  
  Version
  -------
  Openstack Zed

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2015449/+subscriptions

Follow ups

[Bug 2015449] Re: Remote security groups don't allow traffic from floating IPs
From: Launchpad Bug Tracker, 2023-06-19