GBP default security group allows outbound access to the Internet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Group Based Policy |
Fix Released
|
High
|
Ivar Lazzaro |
Bug Description
A default securtiy group gbp_<uuid of group> is created that enables access as follows:
neutron security-group-show gbp_b7f86b91-
+------
| Field | Value |
+------
| description | default |
| id | 11bb48b8-
| name | gbp_b7f86b91-
| security_
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "11.0.0.0/26", "protocol": null, "tenant_id": "7b5ea150741946
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": null, "protocol": null, "tenant_id": "7b5ea150741946
| tenant_id | 7b5ea150741946a
Because of the conntracking support in the iptables rules that are rendered as on qbr, the above rules translate to enabling ingress traffic for RELATED/ESTABLISHED states.
Thus, even without specifying an external policy as a consumer,, ssh connections from VM to external world are allowed and ping to external ip is successful as well
This bug can be reproduced as follows:
1. Create a group and launch a member.
2. Assign floating ip to the VM
2. Login to VM and try to ssh to external ip or ping to sn external ip
4. ssh/ping is successful even though an external policy isn't consumed, nor does the group have a Provided PRS
1.
information type: | Private Security → Public |
summary: |
- GBP default security group allows inbound access to on any ports from - the Internet + GBP default security group allows inbound access to ports from the + Internet |
summary: |
- GBP default security group allows inbound access to ports from the - Internet + GBP default security group allows outbound access to the Internet |
Changed in group-based-policy: | |
status: | New → Triaged |
assignee: | nobody → Ivar Lazzaro (mmaleckk) |
Changed in group-based-policy: | |
importance: | Undecided → High |
milestone: | none → kilo-gbp-4 |
Changed in group-based-policy: | |
status: | Fix Committed → Fix Released |
Changed in group-based-policy: | |
status: | Fix Released → New |
Fix proposed to branch: master /review. openstack. org/207250
Review: https:/