neutron

[OVS][FW] Multicast non-IGMP traffic is allowed by default, not in iptables FW

Bug #1889631 reported by Rodolfo Alonso on 2020-07-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Won't Fix	Undecided	Rodolfo Alonso

Bug Description

In iptables firewall, the multicast traffic (non-IGMP) fro 224.0.0.X traffic was blocked. For example, VRRP traffic (https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol) was blocked until a rule was added to allow it.

In OVS native firewall implementation, this traffic is allowed by default because:
- The OVS FW does not block it.
- OVS follows the recommendations provided in https://tools.ietf.org/html/rfc4541, chapter 2.1.2, section (2):

"Packets with a destination IP (DIP) address in the 224.0.0.X range
which are not IGMP must be forwarded on all ports.

      This recommendation is based on the fact that many host systems do
      not send Join IP multicast addresses in this range before sending
      or listening to IP multicast packets. Furthermore, since the
      224.0.0.X address range is defined as link-local (not to be
      routed), it seems unnecessary to keep the state for each address
      in this range. Additionally, some routers operate in the
      224.0.0.X address range without issuing IGMP Joins, and these
      applications would break if the switch were to prune them due to
      not having seen a Join Group message from the router."

That means this traffic, belonging to a link-local IP address, in the range 224.0.0.x, should be always forwarded to all ports.

Deployments migrating from iptables FW to OVS FW won't have this traffic blocked by default; this is a behavior change between both.

Should we implicitly block this traffic when using OVS FW?

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2020-08-05:

Mail sent to collect more info/feedback on how to solve this issue: http://lists.openstack.org/pipermail/openstack-discuss/2020-August/016294.html

Changed in neutron:
assignee:	nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-28: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/748719

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-11: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/748719
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b8be1a05facff2ba8b484902494ce1663e0aae7c
Submitter: Zuul
Branch: master

commit b8be1a05facff2ba8b484902494ce1663e0aae7c
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Sep 1 16:55:01 2020 +0000

Process ingress multicast traffic for 224.0.0.X separately

    By default, if any multicast traffic sent to 224.0.0.X is allowed
    in the OVS firewall (that means there is a specific egress rule),
    this traffic is sent, in table 73 (ACCEPT_OR_INGRESS_TABLE), to
    a rule with action NORMAL.

    As commented in the related bug, https://tools.ietf.org/html/rfc4541,
    chapter 2.1.2, section (2):
      "Packets with a destination IP (DIP) address in the 224.0.0.X range
       which are not IGMP must be forwarded on all ports."

    That means those packets will be forwarded to all ports regardless of
    any ingress rule. This patch process this traffic separately, sending
    those packets to table 102 (MCAST_RULES_INGRESS_TABLE). In this table
    the ingress rules that have a defined protocol, will have an Open Flow
    rule to output the traffic directly to those ports associated to this
    rule.

    For example, in the problem reported in the related bug, the VRRP
    protocol (112), will be sent only to those ports that have this
    ingress rule.

Change-Id: Ie271de144f78e364d938731ec9f5297e1a9d73f9
Closes-Bug: #1889631

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-26: Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/759679

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2020-10-26:

Hello:

Please refer to https://review.opendev.org/#/c/759679/1/doc/source/admin/config-ovsfwdriver.rst.

IPTables FW and OVS FW have some differences, reported in this table.

Regards.

Changed in neutron:
status:	Fix Released → Won't Fix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-09: Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/759679
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d842d0dbf0e1870595eb9d1bf168691832cec1aa
Submitter: Zuul
Branch: master

commit d842d0dbf0e1870595eb9d1bf168691832cec1aa
Author: Slawek Kaplonski <email address hidden>
Date: Mon Oct 26 13:52:31 2020 +0100

[Docs] Add info about how multicast is treated by fw drivers

    This patch adds info about how multicast traffic is treated by
    openvswitch and iptables based firewall drivers.
    Patch [1] was trying to fix behaviour of OVS based driver to make
    it similar to how iptables drivers works but it introduced bug [2]
    which we wasn't able to fix without basically disabling what [1] did
    for some ports on the compute nodes.
    So based on that we decided to revert [1] - it is done in [3] and to
    document different behaviour between those 2 firewall drivers which is
    done by this patch.

    [1] https://review.opendev.org/#/c/748719/
    [2] https://bugs.launchpad.net/neutron/+bug/1899967
    [3] https://review.opendev.org/#/c/759555/

    Change-Id: If8a56579c62f58befdc57f5916a5763e9fb99531
    Related-Bug: #1899967
    Related-Bug: #1889631

Bernard Cafarelli (bcafarel) on 2020-11-27

tags:

added: neutron-proactive-backport-potential

Slawek Kaplonski (slaweq) on 2020-12-04

tags:

removed: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-03-26: Fix included in openstack/neutron 18.0.0.0rc1

This issue was fixed in the openstack/neutron 18.0.0.0rc1 release candidate.