Group Based Policy

GBP default security group allows outbound access to the Internet

Bug #1479169 reported by ransari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Group Based Policy
Fix Released
High
Ivar Lazzaro
Group Based Policy kilo-gbp-4 "k4"

Bug Description

A default securtiy group gbp_<uuid of group> is created that enables access as follows:
neutron security-group-show gbp_b7f86b91-60c4-4a50-a4f9-008f6d5f0f15
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| description | default |
| id | 11bb48b8-8e5c-409e-b026-b6c270167320 |
| name | gbp_b7f86b91-60c4-4a50-a4f9-008f6d5f0f15 |
| security_group_rules | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "7b5ea150741946a29e2747b86bcce227", "port_range_max": null, "security_group_id": "11bb48b8-8e5c-409e-b026-b6c270167320", "port_range_min": null, "ethertype": "IPv4", "id": "19dced83-ad32-4007-9d75-36a125bf409d"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "11.0.0.0/26", "protocol": null, "tenant_id": "7b5ea150741946a29e2747b86bcce227", "port_range_max": null, "security_group_id": "11bb48b8-8e5c-409e-b026-b6c270167320", "port_range_min": null, "ethertype": "IPv4", "id": "8c16ff8d-c704-4f61-8a59-ae268dd33db7"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "7b5ea150741946a29e2747b86bcce227", "port_range_max": null, "security_group_id": "11bb48b8-8e5c-409e-b026-b6c270167320", "port_range_min": null, "ethertype": "IPv6", "id": "f503e458-d006-4b99-bd0f-58effbfd58b8"} |
| tenant_id | 7b5ea150741946a29e2747b86bcce227

Because of the conntracking support in the iptables rules that are rendered as on qbr, the above rules translate to enabling ingress traffic for RELATED/ESTABLISHED states.
Thus, even without specifying an external policy as a consumer,, ssh connections from VM to external world are allowed and ping to external ip is successful as well

This bug can be reproduced as follows:
1. Create a group and launch a member.
2. Assign floating ip to the VM
2. Login to VM and try to ssh to external ip or ping to sn external ip
4. ssh/ping is successful even though an external policy isn't consumed, nor does the group have a Provided PRS
1.

ransari (rukhsana-ansari)
information type: Private Security → Public
summary: - GBP default security group allows inbound access to on any ports from
- the Internet
+ GBP default security group allows inbound access to ports from the
+ Internet
ransari (rukhsana-ansari)
summary: - GBP default security group allows inbound access to ports from the
- Internet
+ GBP default security group allows outbound access to the Internet
Sumit Naiksatam (snaiksat)
Changed in group-based-policy:
status: New → Triaged
assignee: nobody → Ivar Lazzaro (mmaleckk)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to group-based-policy (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207250

Changed in group-based-policy:
status: Triaged → In Progress
Sumit Naiksatam (snaiksat)
Changed in group-based-policy:
importance: Undecided → High
milestone: none → kilo-gbp-4
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to group-based-policy (master)

Reviewed: https://review.openstack.org/207250
Committed: https://git.openstack.org/cgit/stackforge/group-based-policy/commit/?id=97a842e6ebef62e612076330eef9b8f9a421009b
Submitter: Jenkins
Branch: master

commit 97a842e6ebef62e612076330eef9b8f9a421009b
Author: Ivar Lazzaro <email address hidden>
Date: Wed Jul 29 16:02:18 2015 -0700

    remove wide egress rules from PRS security groups

    In order to avoind unwanted outgoing traffic, this patch completely eliminates
    the 'egress to ALL' rules we have and replaces them with the correct set of
    rules filtered by the providers/consumers' cidrs.

    Change-Id: I7c46723b1354553663eaa51e7b2fd52fcdf6b096
    Closes-bug: 1479169

Changed in group-based-policy:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to group-based-policy (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/213529

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to group-based-policy (stable/juno)

Reviewed: https://review.openstack.org/213529
Committed: https://git.openstack.org/cgit/stackforge/group-based-policy/commit/?id=aabaf1eac20feb99fbe2cc0e4249c4af89eabf3b
Submitter: Jenkins
Branch: stable/juno

commit aabaf1eac20feb99fbe2cc0e4249c4af89eabf3b
Author: Ivar Lazzaro <email address hidden>
Date: Wed Jul 29 16:02:18 2015 -0700

    remove wide egress rules from PRS security groups

    In order to avoind unwanted outgoing traffic, this patch completely eliminates
    the 'egress to ALL' rules we have and replaces them with the correct set of
    rules filtered by the providers/consumers' cidrs.

    Change-Id: I7c46723b1354553663eaa51e7b2fd52fcdf6b096
    Closes-bug: 1479169

tags: added: in-stable-juno
Sumit Naiksatam (snaiksat)
Changed in group-based-policy:
status: Fix Committed → Fix Released
ransari (rukhsana-ansari)
Changed in group-based-policy:
status: Fix Released → New
Revision history for this message
ransari (rukhsana-ansari) wrote :

Re-opened bug because of the following observation:

Upgraded to the new rpm which included fix and launched a new member in a PTG with an existing PRS. Default egress security rules were not updated to reflect the new retrictive logic.

Revision history for this message
Ivar Lazzaro (mmaleckk) wrote :

Would unprovide/unconsume all the PRSs and then provide/consume them again help to solve the issue for existing deployments?

Revision history for this message
Sumit Naiksatam (snaiksat) wrote :

The issue was reopened because existing SG rules were not updated. However this needs to be handled independently by a migration script.

Changed in group-based-policy:
status: New → Fix Released
Revision history for this message
ransari (rukhsana-ansari) wrote :

Agree with Sumit's recommendation. Bug can be closed

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.