Juniper Openstack

Gateway_less_Fwd: ACL should have rule to deny traffic to ip-fabric

Series r4.1
Bug #1724891

Bug #1724891 reported by Nischal Sheth on 2017-10-19

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R4.1	Fix Committed	High	Sivakumar Ganapathy	Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk	Fix Committed	High	Nagendra Prasath	Juniper Openstack r5.0.0

Bug Description

Consider a VN vn1 that uses ip-fabric as provider. The agent adds a
default route to both VRFs so that these VRFs can use the default
route to communicate with destinations outside IPAM for ip-fabric.
This unintentionally allows communication between endpoints in vn1
and ip-fabric even if there's no network policy to explicitly allow
it.

Suggested fix is for schema transformer to always add a rule to the
network ACL at the end to deny traffic to ip-fabric. This should be
done for all VNs that use ip-fabric as provider. The ACL needs to be
generated and the rule added even if there are no network policies
associated with the VN. Note that this rule will not be matched if
the user explicitly adds a policy to allow communication between
vn1 and ip-fabric.

Conversely, the schema transformer also needs to add a rule to the
end of the network ACL for ip-fabric to deny traffic from any VN.
Note that this rule will not be matched if the user explicitly adds
a policy to allow communication between ip-fabric and specific VNs.

See original description

Tags:

Nischal Sheth (nsheth) on 2017-10-19

description:

updated

Revision history for this message

Sachin Bansal (sbansal) wrote on 2017-10-20:

Following changes are required to fix this issue:

1. We will add a new property called 'provider-network' to virtual-network object in schema. For now, it will be a read-only property that will be internally set to True only for ip-fabric network. In dbe_resync, we will change it to True for ip-fabric for upgrade case.

2. In schema transformer, for any network with this property set to True, we will generate an ACL rule to allow local<>any, deny as the last rule instead of the default-allow rule that we add today. One implication of this change is that, ip-fabric (or any other provider network in future) cannot be connected to a logical router.

3. For any network that is using a provider network, we will add an ACL rule before the default-allow rule to deny traffic between that network and the provider network: E.g. local<> ip-fabric, deny.

4. When a link is being added between two networks to set a provider-network, we will add check in api server to make sure that exactly one of those networks has provider-network to True.

Nischal Sheth (nsheth) on 2017-10-24

description:

updated

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-09: [Review update] R4.1

Review in progress for https://review.opencontrail.org/37345
Submitter: Nagendra Prasath (<email address hidden>)

Nischal Sheth (nsheth) on 2017-11-18

information type:

Proprietary → Public

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-21: A change has been merged

#24

Reviewed: https://review.opencontrail.org/37345
Committed: http://github.com/Juniper/contrail-controller/commit/8e263acf7898099d0df1f9b902224a297df3f1c4
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 8e263acf7898099d0df1f9b902224a297df3f1c4
Author: Nagendra Maynattamai <email address hidden>
Date: Wed Nov 8 23:04:30 2017 -0800

Gateway_less_Fwd: ACL should have rule to deny traffic to ip-fabric
Closes-Bug: 1724891

Change-Id: I8025cfee261474582c1d12d362d80f98dbfa5801

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-22: [Review update] master

#25

Review in progress for https://review.opencontrail.org/37775
Submitter: Nagendra Prasath (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-23: A change has been merged

#27

Reviewed: https://review.opencontrail.org/37775
Committed: http://github.com/Juniper/contrail-controller/commit/f65e6c09652331f9c72fa18aa8957d839d49f02c
Submitter: Zuul (<email address hidden>)
Branch: master

commit f65e6c09652331f9c72fa18aa8957d839d49f02c
Author: Nagendra Maynattamai <email address hidden>
Date: Wed Nov 8 23:04:30 2017 -0800

Gateway_less_Fwd: ACL should have rule to deny traffic to ip-fabric
Closes-Bug: 1724891

Change-Id: I8025cfee261474582c1d12d362d80f98dbfa5801
(cherry picked from commit 8e263acf7898099d0df1f9b902224a297df3f1c4)

Revision history for this message

Nischal Sheth (nsheth) wrote on 2018-01-04:

#28

Also see bug 1741311.

Revision history for this message

Ankit Jain (ankitja) wrote on 2018-10-18:

#29

Reopening the bug as I'm hitting it in R4.1 build 15.

The issue I'm hitting is this https://bugs.launchpad.net/juniperopenstack/+bug/1716837

The same is seen in R5.0 as well.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.