iptables security group driver failed to apply when rule protocol is icmp/icmpv6 alias

Bug #1743552 reported by Hunt Xu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Hunt Xu

Bug Description

* Summary
When a security group rule is created with protocol number 1, 58 or icmpv6, with port_range_min supplied as icmp-type. Iptables security group driver will fail to apply the rules.

* Environment

devstack + openvswitch-agent + securitygroup firewall_driver=iptables-hybrid

* Step-by-step reproduction steps:
  1. Create a network and a subnet
  2. boot a VM in the network
  3. create a new security group rule as the followings in the SG of the VM's port:
    - openstack security group rule create --ethertype IPv4 --icmp-type 8 --icmp-code 0 --protocol 1 --ingress <SG_ID>
    - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol 58 --ingress <SG_ID>
    - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol icmpv6 --ingress <SG_ID>
  4. check neutron-openvswitch-agent's LOG

* Expected output:
  - SG rules are successfully created and applied on the port without errors

 Actual output:
  - SG rules are successfully created
  - Errors in neutron-openvswitch-agent's LOG about iptables/ip6tables failed to apply
  - Wrong iptables/ip6tables rule is generated:
    - "Stderr: iptables-restore v1.6.1: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"
    - -I neutron-openvswi-if1905f5e-9 5 -p icmp -m icmp -m multiport --dports 8:0 -j RETURN
    - -I neutron-openvswi-if1905f5e-9 8 -p ipv6-icmp -m icmp6 -m multiport --dports 128:0 -j RETURN

Hunt Xu (huntxu)
Changed in neutron:
assignee: nobody → Hunt Xu (huntxu)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/534263

Changed in neutron:
status: New → In Progress
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/534263
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0efe1aec185365d8bd7a14ec5b812132d0f9e44d
Submitter: Zuul
Branch: master

commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d
Author: Hunt Xu <email address hidden>
Date: Tue Jan 16 19:34:09 2018 +0800

    Fix _port_arg for security rules with icmp/ipv6-icmp aliases

    When a security group rule is created with icmp/ipv6-icmp alias such as
    protocol number 1(ICMP), 58(ICMPv6) or string icmpv6(legacy name for
    ipv6-icmp) as its protocol along with ICMP/ICMPv6 message type
    specified, _port_arg will generate a wrong str for iptables/ip6tables.

    Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
    Closes-Bug: #1743552

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/535795

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/535796

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b3

This issue was fixed in the openstack/neutron 12.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/535796
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d7863503fd2df2901f535aee7652e86e15421f95
Submitter: Zuul
Branch: stable/ocata

commit d7863503fd2df2901f535aee7652e86e15421f95
Author: Hunt Xu <email address hidden>
Date: Tue Jan 16 19:34:09 2018 +0800

    Fix _port_arg for security rules with icmp/ipv6-icmp aliases

    When a security group rule is created with icmp/ipv6-icmp alias such as
    protocol number 1(ICMP), 58(ICMPv6) or string icmpv6(legacy name for
    ipv6-icmp) as its protocol along with ICMP/ICMPv6 message type
    specified, _port_arg will generate a wrong str for iptables/ip6tables.

    Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
    Closes-Bug: #1743552
    (cherry picked from commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/535795
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f7207d49184f790378325411c6d7304e01db4f01
Submitter: Zuul
Branch: stable/pike

commit f7207d49184f790378325411c6d7304e01db4f01
Author: Hunt Xu <email address hidden>
Date: Tue Jan 16 19:34:09 2018 +0800

    Fix _port_arg for security rules with icmp/ipv6-icmp aliases

    When a security group rule is created with icmp/ipv6-icmp alias such as
    protocol number 1(ICMP), 58(ICMPv6) or string icmpv6(legacy name for
    ipv6-icmp) as its protocol along with ICMP/ICMPv6 message type
    specified, _port_arg will generate a wrong str for iptables/ip6tables.

    Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
    Closes-Bug: #1743552
    (cherry picked from commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.5

This issue was fixed in the openstack/neutron 10.0.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.3

This issue was fixed in the openstack/neutron 11.0.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers