Security group rules are erroneously applied to all ports having same ip addresses in different networks
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | neutron |
High
|
shihanzhang | ||
Bug Description
The following steps happen in the same host machine.
1. tenant1 create vm1 with network net1 and ip 199.168.1.2
2. tenant1 create vm2 with network net1 and ip 199.168.1.4
3. configure security group of vm1 and vm2 so they can communicate with tcp connetion
4. tenant2 create vm3 with network net2 and ip 199.168.1.2
5. tenant2 create vm4 with network net2 and ip 199.168.1.4
6. configure security group of vm3 and vm4 so they can't communicate with tcp connetion
7. create tcp connetion between vm1 and vm2, success
8. create tcp connetion betwwen vm3 and vm4 when vm1 and vm2 are still connecting, success, which failure is expected
This problem is caused since these two connections share the same 5-tuple, so conntrack let the packets between vm3 and vm4 pass.
| Changed in neutron: | |
| assignee: | nobody → Zhiyuan Cai (luckyvega-g) |
| Changed in neutron: | |
| importance: | Undecided → High |
| Changed in neutron: | |
| assignee: | Zhiyuan Cai (luckyvega-g) → Xurong Yang (idopra) |
| Changed in neutron: | |
| status: | New → In Progress |
Does this only happen when you don't use namespaces?
| tags: | added: sg-fw |
| Eugene Nikanorov (enikanorov) wrote : | #3 |
Brian, compute hosts don't use namespaces, so the bug is valid.
| tags: | added: juno-backport-potential |
| summary: |
- Conntrack causes security group rule fails + Security group rules errorneously applied to all ports having same ip + addresses in different networks |
| Changed in neutron: | |
| assignee: | Xurong Yang (idopra) → shihanzhang (shihanzhang) |
| Changed in neutron: | |
| assignee: | shihanzhang (shihanzhang) → Xurong Yang (idopra) |
| Changed in neutron: | |
| assignee: | Xurong Yang (idopra) → shihanzhang (shihanzhang) |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit bd5373b670cdd7f
Author: yangxurong <email address hidden>
Date: Tue Aug 26 15:15:40 2014 +0800
Use iptables zone to separate different ip_conntrack
ip_conntrack causes security group rule failures when packets share
the same 5-tuple. Use iptables zone option to separate different
conntrack zone. Currently this patch only works for OVS agent.
Co-authored-by: shihanzhang <email address hidden>
Change-Id: I90b4d2485e3e49
Partial-Bug: #1359523
Fix proposed to branch: neutron-pecan
Review: https:/
| Jay Pipes (jaypipes) wrote : | #6 |
Should this be considered a security issue?
| summary: |
- Security group rules errorneously applied to all ports having same ip + Security group rules are erroneously applied to all ports having same ip addresses in different networks |
| yalei wang (yalei-wang) wrote : | #7 |
what else should be done in this bug? is it fixed?
| tags: | added: kilo-backport-potential |
| Changed in neutron: | |
| status: | In Progress → Fix Committed |
| tags: | removed: juno-backport-potential |
| Changed in neutron: | |
| status: | Fix Committed → Fix Released |
Fix proposed to branch: master
Review: https:/