neutron

SG hybrid iptables driver and FWaaS OVS driver create overlapping conntrack zones

Bug #1745642 reported by chandan dutta chowdhury on 2018-01-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	chandan dutta chowdhury	neutron queens-rc1

Bug Description

SG with hybrid-iptables driver uses per port conntrack zones. FWaaS port security uses per network conntrack zones based on local vlans assigned by ovs l2 agent. In case both SG iptables-hybrid driver and FWaaS port security is enabled, there is a posibility of iptables-hybrid and OVS based FWaaS driver allocating overlapping zone and creating security holes.

Tags:

chandan dutta chowdhury (chandanc) on 2018-01-26

affects:	cinder → neutron
Changed in neutron:
assignee:	nobody → chandan dutta chowdhury (chandanc)

OpenStack Infra (hudson-openstack) on 2018-01-26

Changed in neutron:
status:	New → In Progress

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2018-01-30:

hybrid iptables driver is common in clouds upgraded from older releases. IIRC, it prevents FWaaS v2 readiness in a number of existing deployments.

tags:	added: fw ovs sg-fw
tags:	added: fwaas removed: fw
Changed in neutron:
importance:	Undecided → High
milestone:	none → queens-rc1

Akihiro Motoki (amotoki) on 2018-01-30

tags:

added: needs-attention

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2018-01-30:

https://review.openstack.org/#/c/538154/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-01: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/538154
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9a620f6ea51f5696310283869e68f6a1d49164d1
Submitter: Zuul
Branch: master

commit 9a620f6ea51f5696310283869e68f6a1d49164d1
Author: Chandan Dutta Chowdhury <email address hidden>
Date: Fri Jan 26 05:23:16 2018 +0000

This patch changes the CT zone allocation range

    SG with hybrid-iptables driver uses per port conntrack zones.
    FWaaS port security uses per network conntrack zones based on
    local vlans assigned by ovs l2 agent.

    In case both SG iptables-hybrid driver and FWaaS port security is enabled,
    there is a posibility of iptables-hybrid and OVS based FWaaS driver
    allocating overlapping zone and creating security holes.

    This patch changes the zone allocation range for iptables and
    hybrid_iptables driver to 4097 - 65535. While OVS based
    port security driver can use zones based on local vlan range 1 - 4096

Closes-Bug: #1745642
Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix included in openstack/neutron 12.0.0.0rc1

This issue was fixed in the openstack/neutron 12.0.0.0rc1 release candidate.

Bernard Cafarelli (bcafarel) on 2018-05-31

tags:

added: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-22: Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/577393

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-22: Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/577394

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-25: Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/577393
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a6ee16d72a11402d0b94ca8ed16410636ba74f48
Submitter: Zuul
Branch: stable/pike

commit a6ee16d72a11402d0b94ca8ed16410636ba74f48
Author: Chandan Dutta Chowdhury <email address hidden>
Date: Fri Jan 26 05:23:16 2018 +0000

This patch changes the CT zone allocation range

    SG with hybrid-iptables driver uses per port conntrack zones.
    FWaaS port security uses per network conntrack zones based on
    local vlans assigned by ovs l2 agent.

    This patch changes the zone allocation range for iptables and
    hybrid_iptables driver to 4097 - 65535. While OVS based
    port security driver can use zones based on local vlan range 1 - 4096

    Closes-Bug: #1745642
    Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f
    (cherry picked from commit 9a620f6ea51f5696310283869e68f6a1d49164d1)

tags:	added: in-stable-pike
tags:	added: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-25: Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/577394
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=732b49b00e83f72df24867723e8f3a61ab6583cb
Submitter: Zuul
Branch: stable/ocata

commit 732b49b00e83f72df24867723e8f3a61ab6583cb
Author: Chandan Dutta Chowdhury <email address hidden>
Date: Fri Jan 26 05:23:16 2018 +0000

This patch changes the CT zone allocation range

    SG with hybrid-iptables driver uses per port conntrack zones.
    FWaaS port security uses per network conntrack zones based on
    local vlans assigned by ovs l2 agent.

    This patch changes the zone allocation range for iptables and
    hybrid_iptables driver to 4097 - 65535. While OVS based
    port security driver can use zones based on local vlan range 1 - 4096

    Closes-Bug: #1745642
    Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f
    (cherry picked from commit 9a620f6ea51f5696310283869e68f6a1d49164d1)