yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #93527
[Bug 2054324] [NEW] Iptables rule wrong if created a rule with protocol 4
Public bug reported:
I followed this document to create security group rule for requirement "Allow ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
btw I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24 -p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24 -p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
pkts bytes target prot opt in out source destination
115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0 172.16.2.165 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:8472
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4240
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp multiport dports 30000:32767
1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:10250
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4245
512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp multiport dports 30000:32767
0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:4789
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4244
2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
- I followed this document to create security group rule for requirement "Allow ingress Protocol IPIP or 4" and I used "ip" value
+ I followed this document to create security group rule for requirement "Allow ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
And I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24 -p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24 -p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
- pkts bytes target prot opt in out source destination
- 115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
- 0 0 RETURN udp -- * * 0.0.0.0/0 172.16.2.165 udp spt:67 dpt:68
- 0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
- 0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
- 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:8472
- 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4240
- 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp multiport dports 30000:32767
- 1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:10250
- 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4245
- 512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp multiport dports 30000:32767
- 0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
- 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:4789
- 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4244
- 2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:179
- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
- 14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
+ pkts bytes target prot opt in out source destination
+ 115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
+ 0 0 RETURN udp -- * * 0.0.0.0/0 172.16.2.165 udp spt:67 dpt:68
+ 0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
+ 0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
+ 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:8472
+ 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4240
+ 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp multiport dports 30000:32767
+ 1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:10250
+ 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4245
+ 512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp multiport dports 30000:32767
+ 0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
+ 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:4789
+ 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4244
+ 2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:179
+ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
+ 14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
** Description changed:
I followed this document to create security group rule for requirement "Allow ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
- And I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24 -p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24 -p ipip -j ACCEPT" and proto number was 94 not 4
+ btw I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24 -p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24 -p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
pkts bytes target prot opt in out source destination
115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0 172.16.2.165 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:8472
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4240
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp multiport dports 30000:32767
1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:10250
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4245
512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp multiport dports 30000:32767
0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:4789
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4244
2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2054324
Title:
Iptables rule wrong if created a rule with protocol 4
Status in neutron:
New
Bug description:
I followed this document to create security group rule for requirement "Allow ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
btw I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24 -p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24 -p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
pkts bytes target prot opt in out source destination
115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0 172.16.2.165 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:8472
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4240
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp multiport dports 30000:32767
1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:10250
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4245
512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp multiport dports 30000:32767
0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0 udp dpt:4789
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:4244
2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0 tcp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2054324/+subscriptions
Follow ups
