networking-ovn

security group function not work on active traffic session

Bug #1536080 reported by Xiao Li Xu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-ovn
Fix Released
High
Russell Bryant

Bug Description

Setup info: Liberty with networking-ovn.

Steps :
[1] Create tenant.
[2] Create network, boot 8 instances on that network ,
[3] Configure Security group rules to allow all ICMP, all TCP and all UDP traffic
[4] Associate FIP
Ping to FIP from your laptop , make sure ping is going through
[5] Now modify security group rule - remove all ICMP rule from the security group
Ideally ping should time out, but I could able to ping to the FIP
Tried to ping other instances which doesn't have active ping running, ping was timing out for all the other FIPs

Tags: ovn-upstream
Revision history for this message
Russell Bryant (russellb) wrote :

Indeed, we currently do nothing to conntrack state when security groups get changed. Existing connections that were allowed when they were established will remain.

Changed in networking-ovn:
status: New → Confirmed
Kyle Mestery (mestery)
Changed in networking-ovn:
importance: Undecided → High
Ramu Ramamurthy (ramu-ramamurthy)
Changed in networking-ovn:
assignee: nobody → Ramu Ramamurthy (ramu-ramamurthy)
Revision history for this message
Ramu Ramamurthy (ramu-ramamurthy) wrote :

sort of similar to this one (non-ovn) wherein conntrack entries needed to be forced out from user-space using conntrack-tools

https://bugs.launchpad.net/neutron/+bug/1335375

Changed in networking-ovn:
assignee: Ramu Ramamurthy (ramu-ramamurthy) → nobody
Russell Bryant (russellb)
tags: added: ovn-upstream
Ramu Ramamurthy (ramu-ramamurthy)
Changed in networking-ovn:
assignee: nobody → Ramu Ramamurthy (ramu-ramamurthy)
Revision history for this message
Ramu Ramamurthy (ramu-ramamurthy) wrote :

THe problem reproduces as below..

Initially a ping session was started with a VM from the dhcp namespace.
The relevant OVN acl shows as:
from-lport 1002 (inport == "da8bd41a-5809-4036-8a12-af6d4140685c" && ip4) allow-related
to-lport 1002 (outport == "da8bd41a-5809-4036-8a12-af6d4140685c" && ip4 && icmp4) allow-related

Conntrack on that connection shows:
[stack@ovncontroller-01 devstack]$ sudo conntrack -L | grep 10.0.0.4
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1

Now the ICMP security group rule is deleted
[stack@ovncontroller-01 devstack]$ neutron security-group-rule-delete e3a3888b-e0c8-4af9-88a0-17f1c617a4ff

Conntrack still shows the connection and ping is still ongoing to the VM
[stack@ovncontroller-01 devstack]$ sudo conntrack -L | grep 10.0.0.4
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1

Now we delete the conntrack state as below:
[stack@ovncontroller-01 devstack]$ sudo conntrack -D -p icmp -s 10.0.0.2 -d 10.0.0.4
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1
conntrack v1.4.2 (conntrack-tools): 2 flow entries have been deleted.

Then the ping to the VM stops.

Revision history for this message
Russell Bryant (russellb) wrote :

Ramu, you mentioned that you're working on this. What approach are you taking? I had some ideas but wanted to check on what you're doing to see if it was the same approach or not ...

Revision history for this message
Ramu Ramamurthy (ramu-ramamurthy) wrote :

Russell, It will take me some time (I would think a week) to propose an approach, as I need to first understand the code in the ovn-controller. But I see this bug (and the other related one on conntrack) as a good opportunity to bootstrap. If you have a fix in the works, please take it as I can start on another bug.

Revision history for this message
Russell Bryant (russellb) wrote :

I don't have a fix. If I come up with a proposal, I'll update this bug.

Revision history for this message
Russell Bryant (russellb) wrote :

I started a thread on the ovs dev mailing list to discuss this issue: http://openvswitch.org/pipermail/dev/2016-February/065429.html

Ramu Ramamurthy (ramu-ramamurthy)
Changed in networking-ovn:
assignee: Ramu Ramamurthy (ramu-ramamurthy) → nobody
Russell Bryant (russellb)
Changed in networking-ovn:
assignee: nobody → Russell Bryant (russellb)
status: Confirmed → In Progress
Revision history for this message
Russell Bryant (russellb) wrote :

I have a patch for this that is working in my simple testing. If anyone else is interested in helping test it, it's in this branch:

https://github.com/russellb/ovs/commits/acls

I still need to update the patch with a real commit message and documentation updates, but I think the code is pretty much ready.

Revision history for this message
Russell Bryant (russellb) wrote :

I posted a patch series for this on the ovs-dev list: http://openvswitch.org/pipermail/dev/2016-March/067093.html

Revision history for this message
Kyle Mestery (mestery) wrote :

Patches still under review in OVS:

https://patchwork.ozlabs.org/patch/637301/

Revision history for this message
Russell Bryant (russellb) wrote :

This should now resolved as of this commit:

https://github.com/openvswitch/ovs/commit/cc58e1f2cc414b844c36d21a9a39e4f3383e75e4

Changed in networking-ovn:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.