neutron

Security group rules are erroneously applied to all ports having same ip addresses in different networks

Bug #1359523 reported by Zhiyuan Cai
40
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
shihanzhang

Bug Description

The following steps happen in the same host machine.

1. tenant1 create vm1 with network net1 and ip 199.168.1.2
2. tenant1 create vm2 with network net1 and ip 199.168.1.4
3. configure security group of vm1 and vm2 so they can communicate with tcp connetion
4. tenant2 create vm3 with network net2 and ip 199.168.1.2
5. tenant2 create vm4 with network net2 and ip 199.168.1.4
6. configure security group of vm3 and vm4 so they can't communicate with tcp connetion
7. create tcp connetion between vm1 and vm2, success
8. create tcp connetion betwwen vm3 and vm4 when vm1 and vm2 are still connecting, success, which failure is expected

This problem is caused since these two connections share the same 5-tuple, so conntrack let the packets between vm3 and vm4 pass.

Zhiyuan Cai (luckyvega-g)
Changed in neutron:
assignee: nobody → Zhiyuan Cai (luckyvega-g)
Eugene Nikanorov (enikanorov)
Changed in neutron:
importance: Undecided → High
Xurong Yang (idopra)
Changed in neutron:
assignee: Zhiyuan Cai (luckyvega-g) → Xurong Yang (idopra)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/118274

Changed in neutron:
status: New → In Progress
Revision history for this message
Brian Haley (brian-haley) wrote : Re: Conntrack causes security group rule fails

Does this only happen when you don't use namespaces?

Elena Ezhova (eezhova)
tags: added: sg-fw
Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

Brian, compute hosts don't use namespaces, so the bug is valid.

tags: added: juno-backport-potential
Eugene Nikanorov (enikanorov)
summary: - Conntrack causes security group rule fails
+ Security group rules errorneously applied to all ports having same ip
+ addresses in different networks
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Xurong Yang (idopra) → shihanzhang (shihanzhang)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: shihanzhang (shihanzhang) → Xurong Yang (idopra)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Xurong Yang (idopra) → shihanzhang (shihanzhang)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/118274
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=bd5373b670cdd7f21f8a1ece98fde6be9fda71ab
Submitter: Jenkins
Branch: master

commit bd5373b670cdd7f21f8a1ece98fde6be9fda71ab
Author: yangxurong <email address hidden>
Date: Tue Aug 26 15:15:40 2014 +0800

    Use iptables zone to separate different ip_conntrack

    ip_conntrack causes security group rule failures when packets share
    the same 5-tuple. Use iptables zone option to separate different
    conntrack zone. Currently this patch only works for OVS agent.

    Co-authored-by: shihanzhang <email address hidden>

    Change-Id: I90b4d2485e3e491f496dfb7bdee03d57f393be35
    Partial-Bug: #1359523

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Revision history for this message
Jay Pipes (jaypipes) wrote :

Should this be considered a security issue?

summary: - Security group rules errorneously applied to all ports having same ip
+ Security group rules are erroneously applied to all ports having same ip
addresses in different networks
Revision history for this message
yalei wang (yalei-wang) wrote :

what else should be done in this bug? is it fixed?

Tomoko Inoue (inoue-tomoko)
tags: added: kilo-backport-potential
ZongKai LI (zongkai)
Changed in neutron:
status: In Progress → Fix Committed
Alan Pevec (apevec)
tags: removed: juno-backport-potential
Doug Hellmann (doug-hellmann)
Changed in neutron:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers