default security group with multiple subnets can expose all services to internet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
The Default security group permits connections from other members via an ipset definition. In a project which has multiple networks/subnets, this ipset gets the following entries added;
0.0.0.0/1
128.0.0.0/1
Combined with a float IP assignment, the result is that all services are exposed to Internet regardless of all other security group policies applied.
Example Default security group definition;
routergod@
created_
description=
id="b74db3fa-
name="default"
project_
revision_number="1"
rules="
created_
created_
created_
updated_
The ipset definition in the hypervisor;
root@oshv07:~# ipset list
Name: NIPv4b74db3fa-
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1688
References: 14
Number of entries: 22
Members:
192.168.4.7
192.168.4.11
192.168.4.14
192.168.4.36
192.168.4.35
192.168.4.15
192.168.4.26
192.168.4.27
192.168.2.19
192.168.4.46
192.168.4.28
128.0.0.0/1
192.168.4.13
192.168.1.5
192.168.4.10
192.168.4.22
0.0.0.0/1
192.168.4.30
192.168.4.20
192.168.4.19
192.168.4.16
192.168.4.25
This is a similar definition for a project where there is only one subnet;
Name: NIPv4b7c8d07b-
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 792
References: 7
Number of entries: 7
Members:
192.168.1.14
192.168.1.13
192.168.1.11
192.168.1.5
192.168.1.24
192.168.1.10
192.168.1.8
This has been verified on Mitaka with Linux Bridging and on Queens with OVS.
Can You share exact steps to reproduce this issue? What networks and subnets You have created for tenant, what VMs You have created and so on.
I just tried to reproduce this issue on devstack with master branch. I had network with 2 IPv4 subnets but when I created vm connected to this network I didn't get such entries in ipset as You described above.