neutron

Rule to prevent SNAT for router's internal traffic is wrong

Bug #1834825 reported by Slawek Kaplonski on 2019-07-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Slawek Kaplonski

Bug Description

Rule created router's namespace in https://github.com/openstack/neutron/blob/master/neutron/agent/l3/router_info.py#L884 tries to match for both input and output interface.
However netfilter postrouting hooks don't provide the input interface. This is not new and common
between iptables and nftables. The difference is how the match behaves in this
situation: with iptables, the comparison simply happens against an empty string.
With nftables though, rule processing aborts due to no data to compare against -
the rule doesn't match. The inverted match exposes the difference as for
iptables, the result is always true while for nftables it is always false.

That cause problem with nftables based implementation which is used e.g. in RHEL8 now. Problem there is that internal traffic between 2 networks connected to same router is SNAT'ed always as this rule never match for any packet.

So input interface check in postrouting chain is not effective and never was - even with legacy iptables (e.g. in RHEL7) and can be simply dropped from this rule.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-01: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/668378

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-02: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/668378
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba
Submitter: Zuul
Branch: master

commit dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba
Author: Slawek Kaplonski <email address hidden>
Date: Mon Jul 1 09:45:38 2019 +0200

Don't match input interface in POSTROUTING table

    Netfilter postrouting hooks don't provide the input interface. That
    works fine in iptables implementation as the comparison simply happens
    against an empty string, but cause problems with nftables which
    aborts rule processing due to no data to compare against and
    the rule doesn't match.
    This is a problem in systems where nftables are used (e.g. RHEL 8).

This patch fixes this issue by removing input interface from
POSTROUTING rule used to prevent SNAT for router's internal traffic.

Change-Id: I79bb8054c113c77e7c96d64ec1408236d24b23b6
Closes-Bug: #1834825

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-02: Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/668686

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-04: Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/668686
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ccf5b7ea0abeba5dcdc9ec4173dd7f89bc29f3bf
Submitter: Zuul
Branch: stable/stein

commit ccf5b7ea0abeba5dcdc9ec4173dd7f89bc29f3bf
Author: Slawek Kaplonski <email address hidden>
Date: Mon Jul 1 09:45:38 2019 +0200

Don't match input interface in POSTROUTING table

This patch fixes this issue by removing input interface from
POSTROUTING rule used to prevent SNAT for router's internal traffic.

    Change-Id: I79bb8054c113c77e7c96d64ec1408236d24b23b6
    Closes-Bug: #1834825
    (cherry picked from commit dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba)