Bug #1762736 “Iptables firewall driver adds forward rules for tr...” : Bugs : neutron

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-10: Fix proposed to neutron (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/560075

Changed in neutron:
assignee:	nobody → Nikita Gerasimov (nikita-gerasimov)
status:	New → In Progress

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2018-04-16:

#2

Can You explain with more details why there is need to forward such egress traffic for ports like network:router_ha_interface?
Is is necessary also for any other type of "trusted" ports?

Revision history for this message

Nikita Gerasimov (nikita-gerasimov) wrote on 2018-04-17:

#3

I need some time do investigate current behavior but it's pretty obvious.
network:router_ha_interface form "HA network" for tenant. If we allow only one direction than keepalived will not receive heartbeat from peers and as a consequence all HA agents are in active state.

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2018-04-18:

#4

Nikita: maybe You can then just add such rules for some specific ports (like router_ha_interface) or for some specific type of traffic only?

Revision history for this message

Nikita Gerasimov (nikita-gerasimov) wrote on 2018-04-24:

#5

Unfortunately bug 1720205 at least it's origin not fixed at all. Yes, there is could be workaround for HA net, but DHCP/DNS ports are unpredictable and depends from dynamic infrastructure.
With current fix servers still could communicate only with local agents.

### ifconfig -a
eth0 Link encap:Ethernet HWaddr FA:16:3E:13:1D:EB
          inet addr:192.168.100.11 Bcast:192.168.100.255 Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe13:1deb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:8950 Metric:1
          RX packets:93 errors:0 dropped:0 overruns:0 frame:0
          TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:13755 (13.4 KiB) TX bytes:12957 (12.6 KiB)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:112 (112.0 B) TX bytes:112 (112.0 B)

### route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 eth0
169.254.169.254 192.168.100.2 255.255.255.255 UGH 0 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
### cat /etc/resolv.conf
search openstacklocal
nameserver 192.168.100.3
nameserver 192.168.100.2
nameserver 192.168.100.4
### ping -c 5 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes

--- 192.168.100.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### pinging nameservers
#### ping -c 5 192.168.100.3
PING 192.168.100.3 (192.168.100.3): 56 data bytes

--- 192.168.100.3 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
#### ping -c 5 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: seq=0 ttl=64 time=0.352 ms
64 bytes from 192.168.100.2: seq=1 ttl=64 time=0.196 ms
64 bytes from 192.168.100.2: seq=2 ttl=64 time=0.153 ms
64 bytes from 192.168.100.2: seq=3 ttl=64 time=0.195 ms
64 bytes from 192.168.100.2: seq=4 ttl=64 time=0.137 ms

--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.137/0.206/0.352 ms
#### ping -c 5 192.168.100.4
PING 192.168.100.4 (192.168.100.4): 56 data bytes

--- 192.168.100.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### uname -a
Linux cirros 3.2.0-80-virtual #116-Ubuntu SMP Mon Mar 23 17:28:52 UTC 2015 x86_64 GNU/Linux

So we rally need to pass traffic in both directions. But for security reason we have to check sg-chains before other rules.

Unfortunately bug 1720205 at least it's origin not fixed at all. Yes, there is could be workaround for HA net, but DHCP/DNS ports are unpredictable and depends from dynamic infrastructure.
With current fix servers still could communicate only with local agents.

### ifconfig -a
eth0      Link encap:Ethernet  HWaddr FA:16:3E:13:1D:EB  
          inet addr:192.168.100.11  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe13:1deb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:8950  Metric:1
          RX packets:93 errors:0 dropped:0 overruns:0 frame:0
          TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13755 (13.4 KiB)  TX bytes:12957 (12.6 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:112 (112.0 B)  TX bytes:112 (112.0 B)

### route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 eth0
169.254.169.254 192.168.100.2   255.255.255.255 UGH   0      0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
### cat /etc/resolv.conf
search openstacklocal
nameserver 192.168.100.3
nameserver 192.168.100.2
nameserver 192.168.100.4
### ping -c 5 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes

--- 192.168.100.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### pinging nameservers
#### ping -c 5 192.168.100.3
PING 192.168.100.3 (192.168.100.3): 56 data bytes

--- 192.168.100.3 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
#### ping -c 5 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: seq=0 ttl=64 time=0.352 ms
64 bytes from 192.168.100.2: seq=1 ttl=64 time=0.196 ms
64 bytes from 192.168.100.2: seq=2 ttl=64 time=0.153 ms
64 bytes from 192.168.100.2: seq=3 ttl=64 time=0.195 ms
64 bytes from 192.168.100.2: seq=4 ttl=64 time=0.137 ms

--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.137/0.206/0.352 ms
#### ping -c 5 192.168.100.4
PING 192.168.100.4 (192.168.100.4): 56 data bytes

--- 192.168.100.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### uname -a
Linux cirros 3.2.0-80-virtual #116-Ubuntu SMP Mon Mar 23 17:28:52 UTC 2015 x86_64 GNU/Linux

So we rally need to pass traffic in both directions. But for security reason we have to check sg-chains before other rules.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-03: Fix merged to neutron (master)

#6

Reviewed: https://review.openstack.org/560075
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0b8bcc4d74187d4fdee26f6d57d72c70809ea70e
Submitter: Zuul
Branch: master

commit 0b8bcc4d74187d4fdee26f6d57d72c70809ea70e
Author: Nikita Gerasimov <email address hidden>
Date: Tue Apr 10 19:25:39 2018 +0300

Adds egress and ingress forward rules for trusted ports

    Iptables firewall driver now adds rules for trusted ports to FORWARD
    chain in EGRESS and INGRESS directions.
    Unfiltered and trusted port rules are too wide. We have to match
    traffic against security groups first.

Change-Id: I61e4dc92669e33a207adfb72a1692184884143e1
Closes-Bug: #1762736

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-16: Fix proposed to neutron (stable/queens)

#7

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/568907

Bernard Cafarelli (bcafarel) on 2018-05-31

tags:

added: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-07: Fix included in openstack/neutron 13.0.0.0b2

#8

This issue was fixed in the openstack/neutron 13.0.0.0b2 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-28: Fix merged to neutron (stable/queens)

#9

Reviewed: https://review.openstack.org/568907
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=143d6ce67bf29413dc3fe159d5a682df553b5b07
Submitter: Zuul
Branch: stable/queens

commit 143d6ce67bf29413dc3fe159d5a682df553b5b07
Author: Nikita Gerasimov <email address hidden>
Date: Tue Apr 10 19:25:39 2018 +0300

Adds egress and ingress forward rules for trusted ports

    Iptables firewall driver now adds rules for trusted ports to FORWARD
    chain in EGRESS and INGRESS directions.
    Unfiltered and trusted port rules are too wide. We have to match
    traffic against security groups first.

Change-Id: I61e4dc92669e33a207adfb72a1692184884143e1
Closes-Bug: #1762736

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-18: Fix included in openstack/neutron 12.0.4

#10

This issue was fixed in the openstack/neutron 12.0.4 release.

neutron

Iptables firewall driver adds forward rules for trusted ports only in the ingress direction

Bug Description

Other bug subscribers

Remote bug watches