SG hybrid iptables driver and FWaaS OVS driver create overlapping conntrack zones

Bug #1745642 reported by chandan dutta chowdhury
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
chandan dutta chowdhury

Bug Description

SG with hybrid-iptables driver uses per port conntrack zones. FWaaS port security uses per network conntrack zones based on local vlans assigned by ovs l2 agent. In case both SG iptables-hybrid driver and FWaaS port security is enabled, there is a posibility of iptables-hybrid and OVS based FWaaS driver allocating overlapping zone and creating security holes.

affects: cinder → neutron
Changed in neutron:
assignee: nobody → chandan dutta chowdhury (chandanc)
Changed in neutron:
status: New → In Progress
Revision history for this message
Akihiro Motoki (amotoki) wrote :

hybrid iptables driver is common in clouds upgraded from older releases. IIRC, it prevents FWaaS v2 readiness in a number of existing deployments.

tags: added: fw ovs sg-fw
tags: added: fwaas
removed: fw
Changed in neutron:
importance: Undecided → High
milestone: none → queens-rc1
Akihiro Motoki (amotoki)
tags: added: needs-attention
Revision history for this message
Akihiro Motoki (amotoki) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/538154
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9a620f6ea51f5696310283869e68f6a1d49164d1
Submitter: Zuul
Branch: master

commit 9a620f6ea51f5696310283869e68f6a1d49164d1
Author: Chandan Dutta Chowdhury <email address hidden>
Date: Fri Jan 26 05:23:16 2018 +0000

    This patch changes the CT zone allocation range

    SG with hybrid-iptables driver uses per port conntrack zones.
    FWaaS port security uses per network conntrack zones based on
    local vlans assigned by ovs l2 agent.

    In case both SG iptables-hybrid driver and FWaaS port security is enabled,
    there is a posibility of iptables-hybrid and OVS based FWaaS driver
    allocating overlapping zone and creating security holes.

    This patch changes the zone allocation range for iptables and
    hybrid_iptables driver to 4097 - 65535. While OVS based
    port security driver can use zones based on local vlan range 1 - 4096

    Closes-Bug: #1745642
    Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0rc1

This issue was fixed in the openstack/neutron 12.0.0.0rc1 release candidate.

tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/577393

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/577394

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/577393
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a6ee16d72a11402d0b94ca8ed16410636ba74f48
Submitter: Zuul
Branch: stable/pike

commit a6ee16d72a11402d0b94ca8ed16410636ba74f48
Author: Chandan Dutta Chowdhury <email address hidden>
Date: Fri Jan 26 05:23:16 2018 +0000

    This patch changes the CT zone allocation range

    SG with hybrid-iptables driver uses per port conntrack zones.
    FWaaS port security uses per network conntrack zones based on
    local vlans assigned by ovs l2 agent.

    In case both SG iptables-hybrid driver and FWaaS port security is enabled,
    there is a posibility of iptables-hybrid and OVS based FWaaS driver
    allocating overlapping zone and creating security holes.

    This patch changes the zone allocation range for iptables and
    hybrid_iptables driver to 4097 - 65535. While OVS based
    port security driver can use zones based on local vlan range 1 - 4096

    Closes-Bug: #1745642
    Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f
    (cherry picked from commit 9a620f6ea51f5696310283869e68f6a1d49164d1)

tags: added: in-stable-pike
tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/577394
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=732b49b00e83f72df24867723e8f3a61ab6583cb
Submitter: Zuul
Branch: stable/ocata

commit 732b49b00e83f72df24867723e8f3a61ab6583cb
Author: Chandan Dutta Chowdhury <email address hidden>
Date: Fri Jan 26 05:23:16 2018 +0000

    This patch changes the CT zone allocation range

    SG with hybrid-iptables driver uses per port conntrack zones.
    FWaaS port security uses per network conntrack zones based on
    local vlans assigned by ovs l2 agent.

    In case both SG iptables-hybrid driver and FWaaS port security is enabled,
    there is a posibility of iptables-hybrid and OVS based FWaaS driver
    allocating overlapping zone and creating security holes.

    This patch changes the zone allocation range for iptables and
    hybrid_iptables driver to 4097 - 65535. While OVS based
    port security driver can use zones based on local vlan range 1 - 4096

    Closes-Bug: #1745642
    Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f
    (cherry picked from commit 9a620f6ea51f5696310283869e68f6a1d49164d1)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.6

This issue was fixed in the openstack/neutron 11.0.6 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron ocata-eol

This issue was fixed in the openstack/neutron ocata-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.