neutron

when a port have multiple IP addresses the port cannot communicate

Bug #1190613 reported by Akihiro Motoki
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Critical
Anton Frolov
neutron 2013.2 "havana"
Grizzly
Fix Released
Critical
Gary Kotton
neutron 2013.1.3

Bug Description

When a port have multiple IP addresses, iptables security group implementation drops all the packets from the port. As a result the port cannot communicate.

The following rules is the cause. All IP packets match one of them and are dropped.

    0 0 DROP all -- * * !10.0.0.10 0.0.0.0/0
    0 0 DROP all -- * * !10.0.0.3 0.0.0.0/0

We need to change the rule to accept packet with one of the addresses.
However, iptables rule does not support AND condition with ! (not) operator,
so we seem to need another chain to check multiple IP addresses. Hmm....

ubuntu@ostack02:~/devstack (master)$ nova list
+--------------------------------------+------+--------+------------+-------------+--------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------+--------+------------+-------------+--------------------------+
| bfd3cbc9-8bf7-4334-9fff-65e3d81dc28c | vm3 | ACTIVE | None | Running | net1=10.0.0.10, 10.0.0.3 |
+--------------------------------------+------+--------+------------+-------------+--------------------------+

ubuntu@ostack02:~/devstack (master)$ quantum port-show 3d6b255d-126b-4569-8cf0-c12d263dcd60
+-----------------+----------------------------------------------------------------------------------+
| Field | Value |
+-----------------+----------------------------------------------------------------------------------+
| admin_state_up | True |
| device_id | bfd3cbc9-8bf7-4334-9fff-65e3d81dc28c |
| device_owner | compute:None |
| fixed_ips | {"subnet_id": "df0395d8-1540-45aa-87c3-ad793949910b", "ip_address": "10.0.0.10"} |
| | {"subnet_id": "df0395d8-1540-45aa-87c3-ad793949910b", "ip_address": "10.0.0.3"} |
| id | 3d6b255d-126b-4569-8cf0-c12d263dcd60 |
| mac_address | fa:16:3e:6c:a3:8c |
| name | |
| network_id | 370c8404-7dd0-41f2-969e-2507b3006b18 |
| security_groups | 69de8500-0c16-48c0-abb7-d6dcedfb05ab |
| status | ACTIVE |
| tenant_id | 86d9d4a34eb545358ca620d8193b2081 |
+-----------------+----------------------------------------------------------------------------------+

Chain quantum-openvswi-o3d6b255d-1 (2 references)
 pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! FA:16:3E:6C:A3:8C
    0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 DROP all -- * * !10.0.0.10 0.0.0.0/0
    0 0 DROP all -- * * !10.0.0.3 0.0.0.0/0
    0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 quantum-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0

Tags: sg-fw
Mark McClain (markmcclain)
Changed in quantum:
status: New → Triaged
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/33091

Changed in quantum:
assignee: nobody → Anton Frolov (anton0)
status: Triaged → In Progress
Gary Kotton (garyk)
tags: added: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/33091
Committed: http://github.com/openstack/quantum/commit/531ff2fb34df9e6b0f84ada811c29240f0f1cd48
Submitter: Jenkins
Branch: master

commit 531ff2fb34df9e6b0f84ada811c29240f0f1cd48
Author: Anton Frolov <email address hidden>
Date: Fri Jun 14 21:01:50 2013 +0400

    Fix IP spoofing filter blocking all packets.

    Implement IP spoofing filter by adding yet another chain to iptables
    with RETURN rule for each of IP addresses assigned to port and DROP
    rule at the end of the chain.

    Fixes: bug #1190613
    Change-Id: I2e7a0f8dd4c3519c57d28e87a44735a3482624b1

Changed in quantum:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/33813

Mark McClain (markmcclain)
Changed in quantum:
milestone: none → havana-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (stable/grizzly)

Reviewed: https://review.openstack.org/33813
Committed: http://github.com/openstack/quantum/commit/1ee62c6892542fe0e2dc4ac81a8446100d784f3b
Submitter: Jenkins
Branch: stable/grizzly

commit 1ee62c6892542fe0e2dc4ac81a8446100d784f3b
Author: Anton Frolov <email address hidden>
Date: Fri Jun 14 21:01:50 2013 +0400

    Fix IP spoofing filter blocking all packets.

    Implement IP spoofing filter by adding yet another chain to iptables
    with RETURN rule for each of IP addresses assigned to port and DROP
    rule at the end of the chain.

    Fixes: bug #1190613
    Change-Id: I2e7a0f8dd4c3519c57d28e87a44735a3482624b1
    (cherry picked from commit 531ff2fb34df9e6b0f84ada811c29240f0f1cd48)

tags: added: in-stable-grizzly
Gary Kotton (garyk)
tags: removed: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Alan Pevec (apevec)
tags: removed: in-stable-grizzly
Thierry Carrez (ttx)
Changed in neutron:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.