yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2020060] [NEW] Stateless Feature of Security Group Not Functioning in Case of other Port same compute use statefull

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Phat <2020060@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 May 2023 09:11:38 -0000
Reply-to: Bug 2020060 <2020060@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

>From my lab, I tried to apply the stateless securigty group for one port
"172.26.9.54" and use hping3 to generate tcp connections and monitor the
nf_conntrack number but nothing is effect. After debug in iptables
rules, I saw the following syntax error in iptables caused the "no-
track" policy to become ineffective:

This output from `iptables-save`:
## The port of the first server use same subnet (Public Subnet of provider) - IP address 172.26.9.97
Line 33: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
Line 34: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
Line 35: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap076a0ad0-20 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099

## The port of the second server use same subnet (Public Subnet of provider) - IP Address 172.26.9.54
Line 52: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
Line 53: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
Line 54: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tapdec8b333-40 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: firewall group security stateless

** Tags added: firewall group security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2020060

Title:
  Stateless Feature of Security Group Not Functioning in Case of other
  Port same compute use statefull

Status in neutron:
  New

Bug description:
  From my lab, I tried to apply the stateless securigty group for one
  port "172.26.9.54" and use hping3 to generate tcp connections and
  monitor the nf_conntrack number but nothing is effect. After debug in
  iptables rules, I saw the following syntax error in iptables caused
  the "no-track" policy to become ineffective:

  This output from `iptables-save`:
  ## The port of the first server use same subnet (Public Subnet of provider) - IP address 172.26.9.97
  Line 33: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
  Line 34: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
  Line 35: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap076a0ad0-20 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099

  ## The port of the second server use same subnet (Public Subnet of provider) - IP Address 172.26.9.54
  Line 52: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
  Line 53: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
  Line 54: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tapdec8b333-40 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2020060/+subscriptions