Remote security groups don't allow traffic from floating IPs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
Description
-----------
When a floating IP is attached to a VM, traffic destined for other nodes appears as coming from the floating IP rather than the fixed IP. However, the ipsets created for remote security group rules do not include the floating IP address meaning it is blocked.
Preconditions
-------------
- DVR is enabled
Reproduction steps
------------------
- Create a security group which allows traffic from other members of this security group
- Create two VMs with the aforementioned SG attached
- Ensure traffic from the two VMs can reach each other
- Create a floating IP and attach it to one of the VMs
Expected output
---------------
Traffic from the VM with the FIP attached can reach the other VM
Actual output
-------------
Traffic from the VM with the FIP attached cannot reach the other VM
Version
-------
Openstack Zed
tags: | added: l3-dvr-backlog |
Changed in neutron: | |
status: | New → Incomplete |
It looks like the code that determines what is in the ipset is https:/ /opendev. org/openstack/ neutron/ src/commit/ 208421910d2bb3c 71b0947254d5eca 1326c184d0/ neutron/ api/rpc/ handlers/ securitygroups_ rpc.py# L379 (or this is at least one of the functions that does this).
The first option we considered was updating the _select_ ips_for_ remote_ group function (linked above) to include any floating IP addresses that are associated with the fixed IPs. However, this might not work very well as there's no update triggered for the fixed IP port when a floating IP is attached. This means that the _select_ ips_for_ remote_ group function won't run immediately and so it won't add the floating IP address until a separate update is triggered for the fixed IP port as a result of some other action elsewhere.
Another option we considered leveraged allowed_ address_ pairs. The _select_ ips_for_ remote_ group function checks the allowed_ address_ pairs on the fixed IP port and adds any IPs listed to the ipset. One thing we've tested locally is automatically adding the floating IP address to the allowed_ address_ pairs in https:/ /opendev. org/openstack/ neutron/ src/commit/ 208421910d2bb3c 71b0947254d5eca 1326c184d0/ neutron/ db/l3_db. py#L1612 and this seems to work well.
If this sounds suitable then please let me know and I can put together a PR for that.
EDIT: Technically, this may not be a bug as enabling port security on the port associated with the FIP and adding the relevant security groups does mean that the FIP is added to the ipset list. However, this doesn't seem ideal as:
- The methods used to attach FIPs (e.g. Horizon, OpenStack CLI) don't enable port security on the FIP nor do they attach the security groups used by the fixed IP port
- Enabling port security and attaching security groups to the FIP's port seems like unnecessary overhead