networking-ovn

networking-ovn doesn't handle the port security flag of a port as expected

Bug #1770723 reported by Numan Siddique
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-ovn
Fix Released
Medium
Numan Siddique

Bug Description

When a port's security groups are cleared and if the port has 'port_security' enabled, it is expected that all the traffic to/from the port is blocked. When a port's security groups are cleared, networking-ovn deletes all the ACLs for the port resulting in allowing all the traffic. Because of this, the tempest test - tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group is failing.

Numan Siddique (numansiddique)
Changed in networking-ovn:
importance: Undecided → Medium
assignee: nobody → Numan Siddique (numansiddique)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (master)

Fix proposed to branch: master
Review: https://review.openstack.org/567928

Revision history for this message
Han Zhou (zhouhan) wrote :

Hi Numan, I am confused that why this fails suddenly? I see the tempest case hasn't been updated for a long time. Secondly, do you mean there is security group but no rules? If there is no security group, I think the expected behavior should be allow all, as long as the IP/MAC matches port-security.

Revision history for this message
Han Zhou (zhouhan) wrote :

I take back my second question, since it even not allowed to have security group if port-security is not enabled. Checking the tempest case, it really suggests that when there is no security groups the expected behavior is drop all traffic.

However, I don't understand why can't a user use the port-security feature (for anti spoofing purpose) without enabling security group. @Numan, do you know any document explain this?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (master)

Reviewed: https://review.openstack.org/567928
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=d97a670257fb67917e2b5da4c944b9e29a5d7855
Submitter: Zuul
Branch: master

commit d97a670257fb67917e2b5da4c944b9e29a5d7855
Author: Numan Siddique <email address hidden>
Date: Fri May 11 21:09:10 2018 +0530

    Handle port's 'port_security_enabled' flag when adding ACLs

    When a port's security groups are cleared and 'port_security_enabled'
    flag is True, it is expected that all the traffic to/from the port is dropped.
    But this is not the case. So this patch fixes this issue. 'port_security_enabled'
    flag is checked before adding the port's ACLs.

    So the new (and correct) behaviour with this patch is
     - No security groups and port security enabled -> Drop all the traffic
     - No security groups and port security disabled -> Allow all the traffic

    Change-Id: I5265da4c21e58672db9858555625c8e2c5350316
    Closes-bug: #1770723

Changed in networking-ovn:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/569787

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/queens)

Reviewed: https://review.openstack.org/569787
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=c4735b90e3f18f1078afd84d4c7ce5f1e6e38a2c
Submitter: Zuul
Branch: stable/queens

commit c4735b90e3f18f1078afd84d4c7ce5f1e6e38a2c
Author: Numan Siddique <email address hidden>
Date: Fri May 11 21:09:10 2018 +0530

    Handle port's 'port_security_enabled' flag when adding ACLs

    When a port's security groups are cleared and 'port_security_enabled'
    flag is True, it is expected that all the traffic to/from the port is dropped.
    But this is not the case. So this patch fixes this issue. 'port_security_enabled'
    flag is checked before adding the port's ACLs.

    So the new (and correct) behaviour with this patch is
     - No security groups and port security enabled -> Drop all the traffic
     - No security groups and port security disabled -> Allow all the traffic

    Change-Id: I5265da4c21e58672db9858555625c8e2c5350316
    Closes-bug: #1770723
    (cherry picked from commit d97a670257fb67917e2b5da4c944b9e29a5d7855)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 5.0.0.0b2

This issue was fixed in the openstack/networking-ovn 5.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 4.0.2

This issue was fixed in the openstack/networking-ovn 4.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 4.0.3

This issue was fixed in the openstack/networking-ovn 4.0.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.