neutron

Security group rules are erroneously applied to all ports having same ip addresses in different networks

Bug #1359523 reported by Zhiyuan Cai on 2014-08-21

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	shihanzhang

Bug Description

The following steps happen in the same host machine.

1. tenant1 create vm1 with network net1 and ip 199.168.1.2
2. tenant1 create vm2 with network net1 and ip 199.168.1.4
3. configure security group of vm1 and vm2 so they can communicate with tcp connetion
4. tenant2 create vm3 with network net2 and ip 199.168.1.2
5. tenant2 create vm4 with network net2 and ip 199.168.1.4
6. configure security group of vm3 and vm4 so they can't communicate with tcp connetion
7. create tcp connetion between vm1 and vm2, success
8. create tcp connetion betwwen vm3 and vm4 when vm1 and vm2 are still connecting, success, which failure is expected

This problem is caused since these two connections share the same 5-tuple, so conntrack let the packets between vm3 and vm4 pass.

Tags:

Zhiyuan Cai (luckyvega-g) on 2014-08-21

Changed in neutron:
assignee:	nobody → Zhiyuan Cai (luckyvega-g)

Eugene Nikanorov (enikanorov) on 2014-08-21

Changed in neutron:
importance:	Undecided → High

Xurong Yang (idopra) on 2014-08-22

Changed in neutron:
assignee:	Zhiyuan Cai (luckyvega-g) → Xurong Yang (idopra)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-02: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/118274

Changed in neutron:
status:	New → In Progress

Revision history for this message

Brian Haley (brian-haley) wrote on 2014-10-16: Re: Conntrack causes security group rule fails

Does this only happen when you don't use namespaces?

Elena Ezhova (eezhova) on 2014-10-31

tags:

added: sg-fw

Revision history for this message

Eugene Nikanorov (enikanorov) wrote on 2014-10-31:

Brian, compute hosts don't use namespaces, so the bug is valid.

tags:

added: juno-backport-potential

Eugene Nikanorov (enikanorov) on 2014-10-31

summary:

- Conntrack causes security group rule fails
+ Security group rules errorneously applied to all ports having same ip
+ addresses in different networks

OpenStack Infra (hudson-openstack) on 2015-01-19

Changed in neutron:
assignee:	Xurong Yang (idopra) → shihanzhang (shihanzhang)

OpenStack Infra (hudson-openstack) on 2015-01-23

Changed in neutron:
assignee:	shihanzhang (shihanzhang) → Xurong Yang (idopra)

OpenStack Infra (hudson-openstack) on 2015-01-31

Changed in neutron:
assignee:	Xurong Yang (idopra) → shihanzhang (shihanzhang)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-07: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/118274
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=bd5373b670cdd7f21f8a1ece98fde6be9fda71ab
Submitter: Jenkins
Branch: master

commit bd5373b670cdd7f21f8a1ece98fde6be9fda71ab
Author: yangxurong <email address hidden>
Date: Tue Aug 26 15:15:40 2014 +0800

Use iptables zone to separate different ip_conntrack

    ip_conntrack causes security group rule failures when packets share
    the same 5-tuple. Use iptables zone option to separate different
    conntrack zone. Currently this patch only works for OVS agent.

Co-authored-by: shihanzhang <email address hidden>

Change-Id: I90b4d2485e3e491f496dfb7bdee03d57f393be35
Partial-Bug: #1359523

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-22: Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Revision history for this message

Jay Pipes (jaypipes) wrote on 2015-06-09:

Should this be considered a security issue?

summary:

- Security group rules errorneously applied to all ports having same ip
+ Security group rules are erroneously applied to all ports having same ip
addresses in different networks

Revision history for this message

yalei wang (yalei-wang) wrote on 2015-06-16:

what else should be done in this bug? is it fixed?

Tomoko Inoue (inoue-tomoko) on 2015-09-02

tags:

added: kilo-backport-potential

ZongKai LI (zongkai) on 2015-10-14

Changed in neutron:
status:	In Progress → Fix Committed

Alan Pevec (apevec) on 2015-11-24

tags:

removed: juno-backport-potential

Doug Hellmann (doug-hellmann) on 2015-12-03

Changed in neutron:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.