networking-vpp

Security Group with a UDP rule of port 100, denies traffic sent thru port 100

Bug #1737647 reported by Deepika
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-vpp
Fix Released
Undecided
Naveen Joy

Bug Description

[root@ml2vpp-ciscovic ~]# openstack server show 8e6da99d-82e2-48c6-8fc6-c11e3ba2f8f7
+--------------------------------------+----------------------------------------------------------+
| Field | Value |
+--------------------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | AUTO |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | k07-compute-2 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | k07-compute-2 |
| OS-EXT-SRV-ATTR:instance_name | instance-0000012c |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2017-12-08T22:41:57.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | vpp-tenant-v4-net1=10.10.1.5, 172.29.68.15 |
| config_drive | True |
| created | 2017-12-08T22:41:37Z |
| flavor | m1.large (4) |
| hostId | c7c6511cf2db8a4f0c066a84f90fffa116457f2ce7a447cfd78374fd |
| id | 8e6da99d-82e2-48c6-8fc6-c11e3ba2f8f7 |
| image | RHEL-guest-image (f842f562-c21d-4d12-8a27-217dbc0d017f) |
| key_name | vpp-import-key |
| name | vpp-tenant-db-sg-vm1 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| project_id | 24112dea7ac34a05b298cc1a59c880a3 |
| properties | |
| security_groups | [{u'name': u'vpp-db-sg'}] |
| status | ACTIVE |
| updated | 2017-12-08T22:41:57Z |
| user_id | 8cb76ab5eba94983a58c644e89093d2b |
+--------------------------------------+----------------------------------------------------------+

[root@ml2vpp-ciscovic ~]# openstack security group show vpp-db-sg
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2017-12-08T22:16:36Z |
| description | |
| id | 371e32b9-9435-4591-82c4-ff2fc019632b |
| name | vpp-db-sg |
| project_id | 24112dea7ac34a05b298cc1a59c880a3 |
| project_id | 24112dea7ac34a05b298cc1a59c880a3 |
| revision_number | 6 |
| rules | created_at='2017-12-08T22:40:15Z', direction='ingress', ethertype='IPv4', id='6b2eda76-dce0-424f-9956-878df8166844', port_range_max='100', port_range_min='100', |
| | project_id='24112dea7ac34a05b298cc1a59c880a3', protocol='udp', remote_ip_prefix='0.0.0.0/0', revision_number='1', updated_at='2017-12-08T22:40:15Z' |
| | created_at='2017-12-08T22:17:30Z', direction='ingress', ethertype='IPv4', id='8e1a76d2-d074-47c2-bb15-2257f38beccb', port_range_max='22', port_range_min='22', |
| | project_id='24112dea7ac34a05b298cc1a59c880a3', protocol='tcp', remote_ip_prefix='0.0.0.0/0', revision_number='1', updated_at='2017-12-08T22:17:30Z' |
| | created_at='2017-12-08T23:15:27Z', direction='egress', ethertype='IPv4', id='9a225ddd-78e9-4006-9dda-dc5ab6bffe9d', project_id='24112dea7ac34a05b298cc1a59c880a3', remote_ip_prefix='0.0.0.0/0', |
| | revision_number='1', updated_at='2017-12-08T23:15:27Z' |
| updated_at | 2017-12-08T23:15:27Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@ml2vpp-ciscovic ~]#

The following are the outputs on the VPP :

vpp# sh acl acl
:
:
acl-index 10 count 1 tag {net-vpp.secgroup:371e32b9-9435-4591-82c4-ff2fc019632b.to-vpp}
     0: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535
  applied inbound on sw_if_index: 8
  applied outbound on sw_if_index:
acl-index 11 count 2 tag {net-vpp.secgroup:371e32b9-9435-4591-82c4-ff2fc019632b.from-vpp}
     0: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 100
     1: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 22
  applied inbound on sw_if_index:
  applied outbound on sw_if_index: 8

vpp# sh acl macip interface
  sw_if_index 0: -1
  sw_if_index 1: -1
  sw_if_index 2: -1
  sw_if_index 3: -1
  sw_if_index 4: -1
  sw_if_index 5: -1
  sw_if_index 6: -1
  sw_if_index 7: -1
  sw_if_index 8: 24
  sw_if_index 9: -1
  sw_if_index 10: -1
  sw_if_index 11: -1
vpp#

vpp# sh acl macip acl
:
:
MACIP acl_index: 24, count: 2 (true len 2) tag {} is free pool slot: 0
  ip4_table_index -1, ip6_table_index -1, l2_table_index 54
    rule 0: ipv4 action 1 ip 0.0.0.0/32 mac fa:16:3e:ec:cc:80 mask ff:ff:ff:ff:ff:ff
    rule 1: ipv4 action 1 ip 10.10.1.5/32 mac fa:16:3e:ec:cc:80 mask ff:ff:ff:ff:ff:ff

Here Is the packet from vpp trace :

Packet 1

22:36:07:735622: dpdk-input
  BondEthernet0 rx queue 1
  buffer 0x330b3a9a: current data 0, length 64, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0
  PKT MBUF: port 1, nb_segs 1, pkt_len 64
    buf_len 2176, data_len 64, ol_flags 0x182, data_off 128, phys_addr 0xbdbe6580
    packet_type 0x196
    Packet Offload Flags
      PKT_RX_RSS_HASH (0x0002) RX packet with RSS hash result
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER_VLAN (0x0006) VLAN packet
      RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers
      RTE_PTYPE_L4_TCP (0x0100) TCP packet
  IP4: fa:16:3e:cd:c0:5c -> fa:16:3e:ec:cc:80 802.1q vlan 2004
  TCP: 172.29.74.82 -> 10.10.1.5
    tos 0x00, ttl 52, length 40, checksum 0x94fe
    fragment id 0xf053
22:36:07:735669: ethernet-input
  IP4: fa:16:3e:cd:c0:5c -> fa:16:3e:ec:cc:80 802.1q vlan 2004
22:36:07:735688: l2-input
  l2-input: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c
22:36:07:735708: l2-input-vtr
  l2-input-vtr: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c data 08 00 45 00 00 28 f0 53 00 00 34 06
22:36:07:735711: l2-learn
  l2-learn: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c bd_index 1
22:36:07:735727: l2-fwd
  l2-fwd: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c bd_index 1
22:36:07:735728: l2-output
  l2-output: sw_if_index 8 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c data 08 00 45 00 00 28 f0 53 00 00 34 06
22:36:07:735734: l2-output-classify
  l2-classify: sw_if_index 8, table 11, offset 0, next 1
22:36:07:735741: acl-plugin-out-ip4-l2
  acl-plugin: sw_if_index 8, next index 0, action: 0, match: acl -1 rule -1 trace_bits 00000000
  pkt info 0000000000000000 524a1dac00000000 0000000000000000 05010a0a00000000 000800060050f288 0510ffff00000008
22:36:07:735816: error-drop
  acl-plugin-out-ip4-l2: ACL deny packets

------------------- Start of thread 3 vpp_wk_2 -------------------

After this I added an “Ingress” rule with protocol “ANY, port ANY and Remote IP “0.0.0.0/0”

And this is what I see in the packet trace as the UDP ping goes thru now :

------------------- Start of thread 3 vpp_wk_2 -------------------
Packet 1

00:35:14:488167: dpdk-input
  BondEthernet0 rx queue 2
  buffer 0x3306989b: current data 0, length 62, free-list 0, clone-count 0, totlen-nifb 0, trace 0x0
  PKT MBUF: port 1, nb_segs 1, pkt_len 62
    buf_len 2176, data_len 62, ol_flags 0x182, data_off 128, phys_addr 0xbc95e5c0
    packet_type 0x196
    Packet Offload Flags
      PKT_RX_RSS_HASH (0x0002) RX packet with RSS hash result
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER_VLAN (0x0006) VLAN packet
      RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers
      RTE_PTYPE_L4_TCP (0x0100) TCP packet
  IP4: fa:16:3e:cd:c0:5c -> fa:16:3e:ec:cc:80 802.1q vlan 2004
  TCP: 172.29.74.82 -> 10.10.1.5
    tos 0x00, ttl 46, length 44, checksum 0x3ee2
    fragment id 0x4c6c
00:35:14:488209: ethernet-input
  IP4: fa:16:3e:cd:c0:5c -> fa:16:3e:ec:cc:80 802.1q vlan 2004
00:35:14:488221: l2-input
  l2-input: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c
00:35:14:488232: l2-input-vtr
  l2-input-vtr: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c data 08 00 45 00 00 2c 4c 6c 00 00 2e 06
00:35:14:488236: l2-learn
  l2-learn: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c bd_index 1
00:35:14:488240: l2-fwd
  l2-fwd: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c bd_index 1
00:35:14:488248: l2-flood
  l2-flood: sw_if_index 7 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c bd_index 1
00:35:14:488251: l2-output
  l2-output: sw_if_index 8 dst fa:16:3e:ec:cc:80 src fa:16:3e:cd:c0:5c data 08 00 45 00 00 2c 4c 6c 00 00 2e 06
00:35:14:488255: l2-output-classify
  l2-classify: sw_if_index 8, table 11, offset 0, next 1
00:35:14:488261: acl-plugin-out-ip4-l2
  acl-plugin: sw_if_index 8, next index 1, action: 2, match: acl 11 rule 2 trace_bits 00000000
  pkt info 0000000000000000 524a1dac00000000 0000000000000000 05010a0a00000000 0008000601bbee50 0502ffff00000008
00:35:14:488334: VirtualEthernet0/0/0-output
  VirtualEthernet0/0/0
  IP4: fa:16:3e:cd:c0:5c -> fa:16:3e:ec:cc:80
  TCP: 172.29.74.82 -> 10.10.1.5
    tos 0x00, ttl 46, length 44, checksum 0x3ee2
    fragment id 0x4c6c
00:35:14:488341: VirtualEthernet0/0/0-tx
     VirtualEthernet0/0/0 queue 0
   virtio flags:
    SINGLE_DESC Single descriptor packet
   virtio_net_hdr first_desc_len 4096
     flags 0x00 gso_type 0
     num_buff 1

------------------- Start of thread 4 vpp_wk_3 -----------

Revision history for this message
Naveen Joy (najoy) wrote :

From the trace line below, the acl-plugin is matching on the ACL -1 & Rule -1 on sw_if_index 8. However, the ACL -1 is not set on if_index 8 by networking-vpp. The ACL indices set on sw_if_index: 8 are: 24 (macip) and 10 & 11 (TCP/IP).

acl-plugin: sw_if_index 8, next index 0, action: 0, match: acl -1 rule -1 trace_bits 00000000

vpp# sh acl macip interface
  sw_if_index 0: -1
  sw_if_index 1: -1
  sw_if_index 2: -1
  sw_if_index 3: -1
  sw_if_index 4: -1
  sw_if_index 5: -1
  sw_if_index 6: -1
  sw_if_index 7: -1
  sw_if_index 8: 24 <---

acl-index 10 count 1 tag {net-vpp.secgroup:371e32b9-9435-4591-82c4-ff2fc019632b.to-vpp}
     0: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535
  applied inbound on sw_if_index: 8
  applied outbound on sw_if_index:
acl-index 11 count 2 tag {net-vpp.secgroup:371e32b9-9435-4591-82c4-ff2fc019632b.from-vpp}
     0: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 100
     1: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 22
  applied inbound on sw_if_index:
  applied outbound on sw_if_index: 8

Changed in networking-vpp:
status: New → In Progress
assignee: nobody → Naveen Joy (najoy)
Revision history for this message
Naveen Joy (najoy) wrote :

Andrew has been notified - Waiting for his update.

Revision history for this message
Naveen Joy (najoy) wrote :

A JIRA bug has been opened to track this issue -

https://jira.fd.io/browse/VPP-1181

Changed in networking-vpp:
status: In Progress → Confirmed
Revision history for this message
Deepika (deepika-j) wrote :

Verified that this has been fixed in 18.04 VPP

Changed in networking-vpp:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.