os-vif

In OVS hybrid, avoid "qbr" from replying ARP packets if the IP is local in the system

Bug #1825888 reported by Rodolfo Alonso
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
os-vif
Fix Released
High
Rodolfo Alonso
Queens
Fix Committed
High
Matt Riedemann
Rocky
Fix Committed
High
Rodolfo Alonso
Stein
Fix Committed
High
Rodolfo Alonso

Bug Description

This problem can arise if a tenant private network has the same subnet of the management network. I the management interface (which should be totally isolated from the tenant traffic) has the same IP of a new VM, the DHCP allocation process will fail. Some operating systems (RHEL, Centos, etc) will send an ARP request to confirm the IP address given by the DHCP server is not used by other network entity. In the case described, the hybrid bridge ("qbr...") will reply to this ARP because the IP is local (belongs to the management interface)

We should block this Linux Bridge ("qbr...") from replying to any ARP with an IP non local to this interface. Because it has no IP assigned, it should not reply to any confirmation ARP.

More info: http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP

Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in os-vif:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-vif (master)

Fix proposed to branch: master
Review: https://review.opendev.org/655332

Changed in os-vif:
status: New → In Progress
sean mooney (sean-k-mooney)
Changed in os-vif:
importance: Undecided → High
tags: added: backport-required
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-vif (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/655678

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-vif (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/655692

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-vif (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/655694

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-vif (master)

Reviewed: https://review.opendev.org/655332
Committed: https://git.openstack.org/cgit/openstack/os-vif/commit/?id=9ad9b8483913a38345133120b04c4677fab9cb68
Submitter: Zuul
Branch: master

commit 9ad9b8483913a38345133120b04c4677fab9cb68
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 24 07:09:21 2019 +0000

    Prevent "qbr" Linux Bridge from replying to ARP messages

    The Linux Bridge in between the VM TAP interface and OVS should [1][2]:
    - Reply only if the target IP address is local address configured
      on the incoming interface.
    - Always use the best local address.

    [1]http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP
    [2]http://linux-ip.net/html/ether-arp.html#ether-arp-flux

    Change-Id: I8721b680bbd9f59a67bd8e6855ffb291c208cdb8
    Closes-Bug: #1825888

Changed in os-vif:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-vif (stable/stein)

Reviewed: https://review.opendev.org/655678
Committed: https://git.openstack.org/cgit/openstack/os-vif/commit/?id=c42e7641f00905ff2dd68096d733929bf84756b5
Submitter: Zuul
Branch: stable/stein

commit c42e7641f00905ff2dd68096d733929bf84756b5
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 24 07:09:21 2019 +0000

    Prevent "qbr" Linux Bridge from replying to ARP messages

    The Linux Bridge in between the VM TAP interface and OVS should [1][2]:
    - Reply only if the target IP address is local address configured
      on the incoming interface.
    - Always use the best local address.

    [1]http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP
    [2]http://linux-ip.net/html/ether-arp.html#ether-arp-flux

    Change-Id: I8721b680bbd9f59a67bd8e6855ffb291c208cdb8
    Closes-Bug: #1825888
    (cherry picked from commit 9ad9b8483913a38345133120b04c4677fab9cb68)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-vif (stable/rocky)

Reviewed: https://review.opendev.org/655692
Committed: https://git.openstack.org/cgit/openstack/os-vif/commit/?id=ca9963c2944ebfd93757471f99e9185bf34f61d4
Submitter: Zuul
Branch: stable/rocky

commit ca9963c2944ebfd93757471f99e9185bf34f61d4
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 24 07:09:21 2019 +0000

    Prevent "qbr" Linux Bridge from replying to ARP messages

    The Linux Bridge in between the VM TAP interface and OVS should [1][2]:
    - Reply only if the target IP address is local address configured
      on the incoming interface.
    - Always use the best local address.

    Conflicts:
          vif_plug_linux_bridge/linux_net.py
          vif_plug_linux_bridge/tests/unit/test_linux_net.py
          vif_plug_ovs/linux_net.py
          vif_plug_ovs/tests/unit/test_linux_net.py

    [1]http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP
    [2]http://linux-ip.net/html/ether-arp.html#ether-arp-flux

    Change-Id: I8721b680bbd9f59a67bd8e6855ffb291c208cdb8
    Closes-Bug: #1825888
    (cherry picked from commit 9ad9b8483913a38345133120b04c4677fab9cb68)
    (cherry picked from commit c42e7641f00905ff2dd68096d733929bf84756b5)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-vif 1.16.0

This issue was fixed in the openstack/os-vif 1.16.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-vif (stable/queens)

Reviewed: https://review.opendev.org/655694
Committed: https://git.openstack.org/cgit/openstack/os-vif/commit/?id=7b84b527ec84f7649df8f20d743b1f7ea9e8e113
Submitter: Zuul
Branch: stable/queens

commit 7b84b527ec84f7649df8f20d743b1f7ea9e8e113
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 24 07:09:21 2019 +0000

    Prevent "qbr" Linux Bridge from replying to ARP messages

    The Linux Bridge in between the VM TAP interface and OVS should [1][2]:
    - Reply only if the target IP address is local address configured
      on the incoming interface.
    - Always use the best local address.

    [1]http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP
    [2]http://linux-ip.net/html/ether-arp.html#ether-arp-flux

    Change-Id: I8721b680bbd9f59a67bd8e6855ffb291c208cdb8
    Closes-Bug: #1825888
    (cherry picked from commit 9ad9b8483913a38345133120b04c4677fab9cb68)
    (cherry picked from commit c42e7641f00905ff2dd68096d733929bf84756b5)
    (cherry picked from commit ca9963c2944ebfd93757471f99e9185bf34f61d4)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-vif 1.15.2

This issue was fixed in the openstack/os-vif 1.15.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-vif 1.9.2

This issue was fixed in the openstack/os-vif 1.9.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-vif 1.11.2

This issue was fixed in the openstack/os-vif 1.11.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.