ping still working after security group rule is created, updated, or deleted

Bug #1335375 reported by shihanzhang on 2014-06-28
74
This bug affects 10 people
Affects Status Importance Assigned to Milestone
neutron
High
shihanzhang

Bug Description

After we create an ICMP rule for a security group, even though we delete this rule, the VM in this security group ping still working once connected, there is a same problem in floatingIP, bug#1334926

The bug is relevant for any connections, including ssh, etc.

The problem is also encountered when adding or updating a rule to attempt to block traffic that is already established.

At the root of this problem is that conntrack marks related and established traffic and a rule exists to automatically accept it. Modifying SG rules only modifies rules for new traffic.

Changed in neutron:
assignee: nobody → shihanzhang (shihanzhang)
Changed in neutron:
importance: Undecided → High
tags: added: sg-fw
Aaron Rosen (arosen) on 2014-07-21
Changed in neutron:
assignee: shihanzhang (shihanzhang) → akash (akashg1611)
Eugene Nikanorov (enikanorov) wrote :

That seems to be slightly related to https://bugs.launchpad.net/neutron/+bug/1334926

tags: added: l3-ipam-dhcp
shihanzhang (shihanzhang) wrote :

hi arosen, I see you have not submit the patch for this bug, do you plan to do it? If you don't, I will do it

Hey please assign this to yourself thanks
On Sep 20, 2014 4:01 AM, "shihanzhang" <email address hidden> wrote:

> hi arosen, I see you have not submit the patch for this bug, do you
> plan to do it? If you don't, I will do it
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1335375
>
> Title:
> ping still working once connected even after related security group
> rule is deleted
>
> Status in OpenStack Neutron (virtual network service):
> New
>
> Bug description:
> After we create an ICMP rule for a security group, even though we
> delete this rule, the VM in this security grou ping still working
> once connected, there is a same problem in floatingIP, bug#1334926
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/neutron/+bug/1335375/+subscriptions
>

tags: removed: l3-ipam-dhcp
Elena Ezhova (eezhova) on 2014-10-14
Changed in neutron:
assignee: Akash Gangil (akashg1611) → Elena Ezhova (eezhova)

since fip's problem has resolved, I think we can refer to its patch.

Eugene Nikanorov (enikanorov) wrote :

That's not exactly the same as with fip. We can't simply pass port's ip to conntrack to break connections.

Elena Ezhova (eezhova) on 2014-10-23
description: updated
shihanzhang (shihanzhang) wrote :

hi Eugene Nikanorov, I agree with you, so I plan to commit a BP for this:https://blueprints.launchpad.net/neutron/+spec/conntrack-in-security-group, what do you think?

Wei Wang (damon-devops) wrote :

@enikanorov, sorry, I forgot conntrack can't distinguish namespace,

Changed in neutron:
status: New → Confirmed
Eugene Nikanorov (enikanorov) wrote :

Additionally, there is no namespaces on compute nodes where the problem reveals itself.
So we can't run conntrack in the namespace

Itzik Brown (itzikb1) wrote :

The problem also occurs with FWaaS

summary: - ping still working once connected even after related security group rule
- is deleted
+ ping still working after security group rule is created, updated, or
+ deleted
description: updated

Hello Elena,

Are you still working on this defect?? If you are not planning to push any fix, we can leverage the work shihanzhang has done.
shihanzhang seems to have offered a fix earlier, but did not get a chance to publish it.

Thanks

Elena Ezhova (eezhova) wrote :

I was planning to continue working on the fix right after patch by @yangxurong that introduces conntrack zones is merged, but it seems that shihanzhang has decided not to wait and pushed the code without considering that this bug has an assignee.

shihanzhang (shihanzhang) wrote :

hi Elena Ezhova, I am sorry that I did not commiunicate with you! You did not commit patch, so I don't know whehter you plan to continue on it, so I commit my patch:https://review.openstack.org/#/c/147713/, and this patch based on patch 118274

Changed in neutron:
assignee: Elena Ezhova (eezhova) → shihanzhang (shihanzhang)
status: Confirmed → In Progress
Kyle Mestery (mestery) on 2015-03-31
Changed in neutron:
milestone: none → liberty-1
Thierry Carrez (ttx) on 2015-06-23
Changed in neutron:
milestone: liberty-1 → liberty-2
Thierry Carrez (ttx) on 2015-07-28
Changed in neutron:
milestone: liberty-2 → liberty-3

Reviewed: https://review.openstack.org/147713
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa608d2e042e8c5033cdaf805615aaf03678edb7
Submitter: Jenkins
Branch: master

commit aa608d2e042e8c5033cdaf805615aaf03678edb7
Author: shihanzhang <email address hidden>
Date: Thu Jan 15 20:16:21 2015 +0800

    Add conntrack-tool to manage security groups

    This patch introduces conntrack-tool to manage security groups. When a
    security group rule is deleted, the corresponding tracked connection
    entries will also be removed from the kernel for the address.

    Closes-Bug: #1335375
    Partially-Implements: bp conntrack-in-security-group

    Change-Id: Ibfd2d6a11aa970ea9e5009f4c4b858544d8b7463

Changed in neutron:
status: In Progress → Fix Committed
Download full text (37.3 KiB)

Reviewed: https://review.openstack.org/211492
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a7b91632fc65ab9d2687298c68b1d715866d0356
Submitter: Jenkins
Branch: feature/pecan

commit 966203f89dee8fe61fb2dce654e36e510e80380f
Author: Sukhdev Kapur <email address hidden>
Date: Wed Jul 1 16:30:44 2015 -0700

    Neutron-Ironic integration patch

    This patch is in preparation for the integration
    of Ironic and Neutron. A new vnic_type is being
    added so that ML2 drivers can filter for all
    Ironic ports based upon match for 'baremetal'.
    Nova/Ironic will set this vnic_type when issuing
    port-create request to neutron.
    (e.g. binding:vnic_type = 'baremetal' )

    Change-Id: I25dc9472b31db052719db503a10c1fb1a55572ef
    Partial-Implements: blueprint neutron-ironic-integration

commit 236e408272bcb9b8e957524864e571b5afdc4623
Author: Oleg Bondarev <email address hidden>
Date: Tue Jul 7 12:02:58 2015 +0300

    DVR: fix router scheduling

    Fix scheduling of DVR routers to not stop scheduling once
    csnat portion was scheduled. See bug report for failing
    scenario.

    This partially reverts
    commit 3794b4a83e68041e24b715135f0ccf09a5631178
    and fixes bug 1374473 by moving csnat scheduling
    after general dvr router scheduling, so double binding does
    not happen.

    Closes-Bug: #1472163
    Related-Bug: #1374473
    Change-Id: I57c06e2be732e47b6cce7c724f6b255ea2d8fa32

commit e152f93878b9bb6af7cfedc9e045892fcf7d0615
Author: Assaf Muller <email address hidden>
Date: Sat Aug 8 21:15:03 2015 +0300

    TESTING.rst love

    Change-Id: I64b569048f8f87ea2fe63d861302b4020d36493d

commit 633c52cca1b383af2c900e1663c8682114acd177
Author: sridhargaddam <email address hidden>
Date: Wed Aug 5 10:49:33 2015 +0000

    Avoid dhcp_release for ipv6 addresses

    dhcp_release is only supported for IPv4 addresses [1] and not for
    IPv6 addresses [2]. There will be no effect when it is called with
    IPv6 address. This patch adds a corresponding note and avoids calling
    dhcp_release for IPv6 addresses.

    [1] http://manpages.ubuntu.com/manpages/trusty/man1/dhcp_release.1.html
    [2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q2/007084.html

    Change-Id: I8b8316c9d3d011c2a687a3a1e2a4da5cf1b5d604

commit 2de8fad17402f38bbc30204ee2f4f99cf21cb69d
Author: OpenStack Proposal Bot <email address hidden>
Date: Mon Aug 10 06:11:06 2015 +0000

    Imported Translations from Transifex

    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure

    Change-Id: I2b423e83a7d0ac8b23239f81fe33dd8382c6fff6

commit fef79dc7b9162e03c8891645494c115b52d4d014
Author: Henry Gessau <email address hidden>
Date: Mon Aug 3 23:30:34 2015 -0400

    Consistent layout and headings for devref

    The lack of convention for heading levels among the independently
    written devref documents was starting to make the Table of Contents
    look rather messy when rendered in HTML.

    This patch does not cover the "Neutron Internals" section since its
    layo...

tags: added: in-feature-pecan
Thierry Carrez (ttx) on 2015-09-03
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in neutron:
milestone: liberty-3 → 7.0.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers