neutron

fwaas: firewall is not working for when destination ip address is VM's floating ip in firewall rule

Bug #1323299 reported by Rajkumar
36
This bug affects 8 people
Affects Status Importance Assigned to Milestone
neutron
Invalid
Medium
Xurong Yang

Bug Description

DESCRIPTION:

Firewal is not working when setting the destination-ip-address as VM's floating ip
Steps to Reproduce:
1. create one network and attached it to the newly created router
2. Create VMs on the above network
3. create security group rule for icmp
4. create an external network and attach it to the router as gateway
5. create floating ip and associate it to the VMs
6. create a first firewall rule as protocol=icmp , action =deny and desitination-ip-address as floatingip
7. create second firewall rule as protocol=any action=allow
8. attach the rule to the policy and the policy to the firewall
9. ping the VMs floating ip from network node which is having the external network configured.

Actual Results:
Ping succeeds

Expected Results:
Ping should fail as per the firewall rule

Tags: fwaas
Revision history for this message
Rajkumar (raj15) wrote :
Eugene Nikanorov (enikanorov)
tags: added: fwaas
Changed in neutron:
importance: Undecided → Medium
Xurong Yang (idopra)
Changed in neutron:
assignee: nobody → Xurong Yang (idopra)
Revision history for this message
Sumit Naiksatam (snaiksat) wrote :

Can you please confirm if you are using only security groups or FWaaS as well? If you are using FWaaS please indicate the steps you followed to create the firewall_policy, firewall, etc.

Changed in neutron:
status: New → Incomplete
Revision history for this message
Rajkumar (raj15) wrote :
Download full text (6.1 KiB)

   I have created the security group only to allow icmp so that I can test using ping. I have created the firewall like below. I am able to ping the VM's floating ip(192.52.1.6) from network node(192.52.1.45) even though I have added rule for denying 192.52.1.0/24 however ping from VM to network node is denied as expected.
  One more observation is if I disable the second rule r2 which is "allow all", then the ping from network node to VM is blocked as expected since it hits the default rule "deny all".

root@IGA-OSC:~# neutron firewall-rule-show r1
+------------------------+--------------------------------------+
| Field | Value |
 +------------------------+--------------------------------------+
| action | deny |
| description | |
| destination_ip_address | 192.52.1.0/24 |
| destination_port | |
| enabled | True |
| firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 |
| id | fe18a16c-a792-4763-890e-3e0f37591b05 |
| ip_version | 4 |
| name | r1 |
| position | 1 |
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | d9481c57a11c46eea62886938b5378a7 |
 +------------------------+--------------------------------------+
root@IGA-OSC:~# neutron firewall-rule-show r2
+------------------------+--------------------------------------+
| Field | Value |
 +------------------------+--------------------------------------+
| action | allow |
| description | |
| destination_ip_address | |
| destination_port | |
| enabled | True |
| firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 |
| id | a4d231de-bf05-4353-8c69-b1698b6b997d |
| ip_version | 4 |
| name | r2 |
| position | 2 |
| protocol | |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | d9481c57a11c46eea62886938b5378a7 |
 +------------------------+--------------------------------------+
root@IGA-OSC:~# neutron firewall-policy-show p1
+----------------+------------------------...

Read more...

Changed in neutron:
status: Incomplete → In Progress
Revision history for this message
Xurong Yang (idopra) wrote :

Hi,
   I'm reproducing the bug, the steps in details will be posted later.

Revision history for this message
Xurong Yang (idopra) wrote :

Hi, Sumit Naiksatam & Rajkumar
I reproduce the issue, and, in fact, the result is same as yours, my analysis is followed:
router's functionality both NAT and Firewall, so , although we have created firewall rule, DNAT will take action(change floating ip to fix ip) in PREROUTING chain preferentially when network node ping vm's floating ip, so firewall rules in FORWARD chain couldn't match because packet's ip has been changed to fix ip.

additional case:
if we change firewall rule protocol=icmp , action =deny and desitination-ip-address as fix ip, ping fail.

in short , router firewall can't take effect, I will send mail to discuss this issue.

Sumit Naiksatam (snaiksat)
Changed in neutron:
milestone: none → juno-1
Kyle Mestery (mestery)
Changed in neutron:
milestone: juno-1 → juno-2
Revision history for this message
Sumit Naiksatam (snaiksat) wrote :

This is working as designed. The current FWaaS implementation sees the ip address before it's DNAT'ed, not after it. Changing this would probably be a bigger change, and a feature.

Changed in neutron:
status: In Progress → Opinion
Kyle Mestery (mestery)
Changed in neutron:
milestone: juno-2 → none
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
status: Opinion → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.