Security group rules are erroneously applied to all ports having same ip addresses in different networks

Bug #1359523 reported by Zhiyuan Cai on 2014-08-21
40
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
High
shihanzhang

Bug Description

The following steps happen in the same host machine.

1. tenant1 create vm1 with network net1 and ip 199.168.1.2
2. tenant1 create vm2 with network net1 and ip 199.168.1.4
3. configure security group of vm1 and vm2 so they can communicate with tcp connetion
4. tenant2 create vm3 with network net2 and ip 199.168.1.2
5. tenant2 create vm4 with network net2 and ip 199.168.1.4
6. configure security group of vm3 and vm4 so they can't communicate with tcp connetion
7. create tcp connetion between vm1 and vm2, success
8. create tcp connetion betwwen vm3 and vm4 when vm1 and vm2 are still connecting, success, which failure is expected

This problem is caused since these two connections share the same 5-tuple, so conntrack let the packets between vm3 and vm4 pass.

Changed in neutron:
assignee: nobody → Zhiyuan Cai (luckyvega-g)
Changed in neutron:
importance: Undecided → High
Xurong Yang (idopra) on 2014-08-22
Changed in neutron:
assignee: Zhiyuan Cai (luckyvega-g) → Xurong Yang (idopra)

Fix proposed to branch: master
Review: https://review.openstack.org/118274

Changed in neutron:
status: New → In Progress

Does this only happen when you don't use namespaces?

Elena Ezhova (eezhova) on 2014-10-31
tags: added: sg-fw
Eugene Nikanorov (enikanorov) wrote :

Brian, compute hosts don't use namespaces, so the bug is valid.

tags: added: juno-backport-potential
summary: - Conntrack causes security group rule fails
+ Security group rules errorneously applied to all ports having same ip
+ addresses in different networks
Changed in neutron:
assignee: Xurong Yang (idopra) → shihanzhang (shihanzhang)
Changed in neutron:
assignee: shihanzhang (shihanzhang) → Xurong Yang (idopra)
Changed in neutron:
assignee: Xurong Yang (idopra) → shihanzhang (shihanzhang)

Reviewed: https://review.openstack.org/118274
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=bd5373b670cdd7f21f8a1ece98fde6be9fda71ab
Submitter: Jenkins
Branch: master

commit bd5373b670cdd7f21f8a1ece98fde6be9fda71ab
Author: yangxurong <email address hidden>
Date: Tue Aug 26 15:15:40 2014 +0800

    Use iptables zone to separate different ip_conntrack

    ip_conntrack causes security group rule failures when packets share
    the same 5-tuple. Use iptables zone option to separate different
    conntrack zone. Currently this patch only works for OVS agent.

    Co-authored-by: shihanzhang <email address hidden>

    Change-Id: I90b4d2485e3e491f496dfb7bdee03d57f393be35
    Partial-Bug: #1359523

Jay Pipes (jaypipes) wrote :

Should this be considered a security issue?

summary: - Security group rules errorneously applied to all ports having same ip
+ Security group rules are erroneously applied to all ports having same ip
addresses in different networks
yalei wang (yalei-wang) wrote :

what else should be done in this bug? is it fixed?

tags: added: kilo-backport-potential
ZongKai LI (lzklibj) on 2015-10-14
Changed in neutron:
status: In Progress → Fix Committed
Alan Pevec (apevec) on 2015-11-24
tags: removed: juno-backport-potential
Changed in neutron:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers