neutron

[ovs firewall] Port masking adds wrong masks in several cases.

Bug #1611991 reported by Inessa Vasilevskaya
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
Fix Released
High
Inessa Vasilevskaya
neutron newton-rc2 "rc2"

Bug Description

Seen on master devstack, ubuntu xenial.

Steps to reproduce:

1. Enable ovs firewall in /etc/neutron/plugins/ml2/ml2.conf

[securitygroup]
firewall_driver = openvswitch

2. Create a security group with icmp, tcp to 22.

3. Boot a VM, assign a floating ip.

4. Check that port 23 can be accessed via tcp (telnet, nc, etc).

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/353782

Inessa Vasilevskaya (ivasilevskaya)
description: updated
Changed in neutron:
assignee: nobody → Inessa Vasilevskaya (ivasilevskaya)
Jakub Libosvar (libosvar)
Changed in neutron:
status: New → Confirmed
Revision history for this message
Jakub Libosvar (libosvar) wrote : Re: [ovs firewall] Port 23 is open on booted vms with only ping/ssh on 22 allowed.

The bug is in port masking, 22 is masked by tp_src=0x16/0xfffe which matches number 23 as well. Good catch!

Changed in neutron:
importance: Undecided → High
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Jeremy Stanley (fungi) wrote :

What change introduced this bug? Is it present in stable branches too, or just master?

information type: Public → Public Security
Changed in ossa:
status: New → Incomplete
Revision history for this message
Inessa Vasilevskaya (ivasilevskaya) wrote :

commit 9af8f56d1d7d96517b6252ee1bd7c03ca1cbab72
Author: Jakub Libosvar <email address hidden>
Date: Tue Feb 23 15:52:57 2016 +0000

    ovs-fw: Enhance port ranges with masks

    The algorithm for masking port range was taken from networking-ovs-dpdk.
    Future step will be to move the algorithm to neutron-lib and reuse in
    networking-ovs-dpdk.

    Change-Id: I4573eac9a2e04c1f126d26591d2e3207b6150337

As far as I know ovs firewall was introduced in mitaka, so stable mitaka is affected as well.

Jakub can correct me if I got something wrong.

Revision history for this message
Inessa Vasilevskaya (ivasilevskaya) wrote :

Hm, a quick unit test in networking-ovs-dpdk shows that this bug affects it as well http://paste.openstack.org/show/555911/

I'll file a bug there as well and backport the fix once it is ready.

Revision history for this message
Kevin Benton (kevinbenton) wrote :

This was released in Mitaka as an experimental security groups driver. It is not the default and it required a newer OVS version not shipped with many distros. So it was possible to use but I'm not sure how large the user base was for it.

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Inessa Vasilevskaya (ivasilevskaya) → IWAMOTO Toshihiro (iwamoto)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: IWAMOTO Toshihiro (iwamoto) → Inessa Vasilevskaya (ivasilevskaya)
Armando Migliaccio (armando-migliaccio)
tags: added: mitaka-backport-potential
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Inessa Vasilevskaya (ivasilevskaya) → Jakub Libosvar (libosvar)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Jakub Libosvar (libosvar) → Inessa Vasilevskaya (ivasilevskaya)
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Closing the OSSA task, reason: B3 type of bug according to VMT taxonomy ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

Changed in ossa:
status: Incomplete → Won't Fix
Inessa Vasilevskaya (ivasilevskaya)
summary: - [ovs firewall] Port 23 is open on booted vms with only ping/ssh on 22
- allowed.
+ [ovs firewall] Port masking adds wrong masks in several cases.
Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

Shouldn't this be targeted for newton-rc1 in order to get proper attention?

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: none → newton-rc1
Armando Migliaccio (armando-migliaccio)
tags: added: newton-rc-potential
Changed in neutron:
milestone: newton-rc1 → ocata-1
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Kuba felt that [1] was more readable, we need to take the time to assess which one we feel comfortable of merging.

[1] https://review.openstack.org/#/c/353782/16

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-1 → newton-rc2
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Let's take more time to think about the best strategy forward.

tags: removed: newton-rc-potential
Changed in neutron:
milestone: newton-rc2 → ocata-1
Armando Migliaccio (armando-migliaccio)
tags: added: newton-rc-potential
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Retargeted:

http://eavesdrop.openstack.org/meetings/neutron_drivers/2016/neutron_drivers.2016-09-22-22.03.log.html

Changed in neutron:
milestone: ocata-1 → newton-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/353782
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0494f212aa625a03587af3d75e823008f1198012
Submitter: Jenkins
Branch: master

commit 0494f212aa625a03587af3d75e823008f1198012
Author: Inessa Vasilevskaya <email address hidden>
Date: Thu Aug 11 02:21:29 2016 +0300

    ovsfw: fix troublesome port_rule_masking

    In several cases port masking algorithm borrowed
    from networking_ovs_dpdk didn't behave correctly.
    This caused non-restricted ports to be open due to
    wrong tp_src field value in resulting ovs rules.

    This was fixed by alternative port masking
    implementation.

    Functional and unit tests to cover the bug added as well.

    Co-Authored-By: Jakub Libosvar <email address hidden>
    Co-Authored-By: IWAMOTO Toshihiro <email address hidden>

    Closes-Bug: #1611991
    Change-Id: Idfc0e9c52e0dd08852c91c17e12edb034606a361

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/375892

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/376401

Ihar Hrachyshka (ihar-hrachyshka)
tags: added: ovs-fw
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/375892
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e55b3e329ed1424c11e0fc1d2a18fd70307da9a2
Submitter: Jenkins
Branch: stable/newton

commit e55b3e329ed1424c11e0fc1d2a18fd70307da9a2
Author: Inessa Vasilevskaya <email address hidden>
Date: Thu Aug 11 02:21:29 2016 +0300

    ovsfw: fix troublesome port_rule_masking

    In several cases port masking algorithm borrowed
    from networking_ovs_dpdk didn't behave correctly.
    This caused non-restricted ports to be open due to
    wrong tp_src field value in resulting ovs rules.

    This was fixed by alternative port masking
    implementation.

    Functional and unit tests to cover the bug added as well.

    Co-Authored-By: Jakub Libosvar <email address hidden>
    Co-Authored-By: IWAMOTO Toshihiro <email address hidden>

    Closes-Bug: #1611991
    Change-Id: Idfc0e9c52e0dd08852c91c17e12edb034606a361
    (cherry picked from commit 0494f212aa625a03587af3d75e823008f1198012)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 9.0.0.0rc2

This issue was fixed in the openstack/neutron 9.0.0.0rc2 release candidate.

Ihar Hrachyshka (ihar-hrachyshka)
tags: removed: newton-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/388015

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.0.0b1

This issue was fixed in the openstack/neutron 10.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/mitaka)

Reviewed: https://review.openstack.org/388015
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dd75f7e96afc713b57ad4ab21f01175be7b571fe
Submitter: Jenkins
Branch: stable/mitaka

commit dd75f7e96afc713b57ad4ab21f01175be7b571fe
Author: Inessa Vasilevskaya <email address hidden>
Date: Thu Aug 11 02:21:29 2016 +0300

    ovsfw: fix troublesome port_rule_masking

    In several cases port masking algorithm borrowed
    from networking_ovs_dpdk didn't behave correctly.
    This caused non-restricted ports to be open due to
    wrong tp_src field value in resulting ovs rules.

    This was fixed by alternative port masking
    implementation.

    Functional and unit tests to cover the bug added as well.

    Co-Authored-By: Jakub Libosvar <email address hidden>
    Co-Authored-By: IWAMOTO Toshihiro <email address hidden>

    Closes-Bug: #1611991

    Conflicts:
     neutron/common/utils.py
     neutron/tests/unit/common/test_utils.py

    (cherry-picked from 0494f212aa625a03587af3d75e823008f1198012)

    Change-Id: Idfc0e9c52e0dd08852c91c17e12edb034606a361

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/376401
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa5985dff17957e0250a73787aff2d5e35307836
Submitter: Jenkins
Branch: master

commit aa5985dff17957e0250a73787aff2d5e35307836
Author: Jakub Libosvar <email address hidden>
Date: Mon Sep 26 07:03:36 2016 -0400

    Compare port_rule_masking() results with different approach

    This patch creates test that generates port ranges and
    uses software diversity for comparison the results.

    Change-Id: I77a76aa8288b505a0f083357f26a3bce23625897
    Related-bug: 1611991

Ihar Hrachyshka (ihar-hrachyshka)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/421958

Ihar Hrachyshka (ihar-hrachyshka)
tags: removed: neutron-proactive-backport-potential
tags: removed: mitaka-backport-potential
Jeremy Stanley (fungi)
information type: Public Security → Public
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/421958
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dfb55ba869d71374ee10e53ce9ab5dcc8831e49c
Submitter: Jenkins
Branch: stable/newton

commit dfb55ba869d71374ee10e53ce9ab5dcc8831e49c
Author: Jakub Libosvar <email address hidden>
Date: Mon Sep 26 07:03:36 2016 -0400

    Compare port_rule_masking() results with different approach

    This patch creates test that generates port ranges and
    uses software diversity for comparison the results.

    Conflicts:
     neutron/tests/unit/common/test_utils.py

    Change-Id: I77a76aa8288b505a0f083357f26a3bce23625897
    Related-bug: 1611991
    (cherry picked from commit aa5985dff17957e0250a73787aff2d5e35307836)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 8.4.0

This issue was fixed in the openstack/neutron 8.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.