neutron

iptables security group driver failed to apply when rule protocol is icmp/icmpv6 alias

Bug #1743552 reported by Hunt Xu on 2018-01-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Hunt Xu

Bug Description

* Summary
When a security group rule is created with protocol number 1, 58 or icmpv6, with port_range_min supplied as icmp-type. Iptables security group driver will fail to apply the rules.

* Environment

devstack + openvswitch-agent + securitygroup firewall_driver=iptables-hybrid

* Step-by-step reproduction steps:
  1. Create a network and a subnet
  2. boot a VM in the network
  3. create a new security group rule as the followings in the SG of the VM's port:
    - openstack security group rule create --ethertype IPv4 --icmp-type 8 --icmp-code 0 --protocol 1 --ingress <SG_ID>
    - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol 58 --ingress <SG_ID>
    - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol icmpv6 --ingress <SG_ID>
  4. check neutron-openvswitch-agent's LOG

* Expected output:
- SG rules are successfully created and applied on the port without errors

Actual output:
  - SG rules are successfully created
  - Errors in neutron-openvswitch-agent's LOG about iptables/ip6tables failed to apply
  - Wrong iptables/ip6tables rule is generated:
    - "Stderr: iptables-restore v1.6.1: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"
    - -I neutron-openvswi-if1905f5e-9 5 -p icmp -m icmp -m multiport --dports 8:0 -j RETURN
    - -I neutron-openvswi-if1905f5e-9 8 -p ipv6-icmp -m icmp6 -m multiport --dports 128:0 -j RETURN

Tags:

Hunt Xu (huntxu) on 2018-01-16

Changed in neutron:
assignee:	nobody → Hunt Xu (huntxu)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-16: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/534263

Changed in neutron:
status:	New → In Progress

Slawek Kaplonski (slaweq) on 2018-01-17

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-19: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/534263
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0efe1aec185365d8bd7a14ec5b812132d0f9e44d
Submitter: Zuul
Branch: master

commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d
Author: Hunt Xu <email address hidden>
Date: Tue Jan 16 19:34:09 2018 +0800

Fix _port_arg for security rules with icmp/ipv6-icmp aliases

    When a security group rule is created with icmp/ipv6-icmp alias such as
    protocol number 1(ICMP), 58(ICMPv6) or string icmpv6(legacy name for
    ipv6-icmp) as its protocol along with ICMP/ICMPv6 message type
    specified, _port_arg will generate a wrong str for iptables/ip6tables.

Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
Closes-Bug: #1743552

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-19: Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/535795

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-19: Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/535796

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-24: Fix included in openstack/neutron 12.0.0.0b3

This issue was fixed in the openstack/neutron 12.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-27: Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/535796
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d7863503fd2df2901f535aee7652e86e15421f95
Submitter: Zuul
Branch: stable/ocata

commit d7863503fd2df2901f535aee7652e86e15421f95
Author: Hunt Xu <email address hidden>
Date: Tue Jan 16 19:34:09 2018 +0800

Fix _port_arg for security rules with icmp/ipv6-icmp aliases

    Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
    Closes-Bug: #1743552
    (cherry picked from commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d)

tags:

added: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-27: Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/535795
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f7207d49184f790378325411c6d7304e01db4f01
Submitter: Zuul
Branch: stable/pike

commit f7207d49184f790378325411c6d7304e01db4f01
Author: Hunt Xu <email address hidden>
Date: Tue Jan 16 19:34:09 2018 +0800

Fix _port_arg for security rules with icmp/ipv6-icmp aliases

    Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
    Closes-Bug: #1743552
    (cherry picked from commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d)