neutron

[FWaaS]Firewall rule for fip's DNAT traffic, destination address should be this fip

Bug #1799885 reported by Wang Weijia
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

Bug description:
When we write a firewall group rule which limit fip's DNAT traffic, for example we want to accept the traffic into a VM binding a fip, the rule's destination address should be VM's intranet IP address (not fip IP address) currently.
However if we associate this fip to other VM, the before firewall group rule will be wrong because we just want to restrict the traffic into this fip. We have to change the firewall group rule's destination address to another VM 's intranet IP.
So everytime we change fip association, we should change firewall group rule's destination address.

Analysis:
Iptables process DNAT on PREROUTING chain in nat table, which process before FORWARD chain in filter table.
So if we write a firewall rule to limit fip's DNAT traffic , the destination address must be a intranet IP.
Essentially, if we want to write a firewall group rule to limit a IP's the DNAT traffic, we can only limit a intranet IP address, not a fip's IP address.

Scenario:
We want to access the traffic to a fip's (166.166.166.5) 80 port:
1.Associate a fip 166.166.166.5 on a VM(intranet IP:192.168.1.10)
2.create a firewall group, policy and rule
3.associate the fwg to router(0cbd237f-358a-4c27-8047-c50e1f7201e7)

[root@vm ~]# openstack firewall group rule show 055af78e-ef12-4225-8236-8ef703026aad
+------------------------+-------------------------------------------+
| Field | Value |
+------------------------+-------------------------------------------+
| Action | allow |
| Description | |
| Destination IP Address | 192.168.1.10 |
| Destination Port | 80 |
| Enabled | True |
| ID | 055af78e-ef12-4225-8236-8ef703026aad |
| IP Version | 4 |
| Name | in-192.168.1.10-80-allow |
| Project | 9355437b66f64e8999e30978a7b3c33c |
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | None |
| firewall_policy_id | [u'3996f090-8e8d-48c5-a3de-4ba2c88ff935'] |
| project_id | 9355437b66f64e8999e30978a7b3c33c |
+------------------------+-------------------------------------------+
#3996f090-8e8d-48c5-a3de-4ba2c88ff935 is ingress policy

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80 -j ACCEPT

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -t nat -S
-A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination 192.168.1.10

4.Associate the fip 166.166.166.5 to another VM(intranet IP:192.168.1.11)

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -S
-A neutron-l3-agent-iv4deb36e9f -d 192.168.1.10/32 -p tcp -m tcp --dport 80 -j ACCEPT

[root@vm ~]# ip netns exec snat-0cbd237f-358a-4c27-8047-c50e1f7201e7 iptables -t nat -S
-A neutron-l3-agent-PREROUTING -d 166.166.166.5/32 -j DNAT --to-destination 192.168.1.11

5.This firewall rule lose efficacy

Tags: fwaas
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Thanks for the report and the steps to repro, can you share config details and versions which experience the issue?

tags: added: fwaas
Changed in neutron:
status: New → Incomplete
Revision history for this message
Wang Weijia (wangweij) wrote :

In fact, whatever environment you use, this bug will issue if you associate a fip to VM, and use a limit firewall rule for this fip.

This is my environment:(DVR+HA)
1.controller node 'sneutron.conf config file:
[DEFAULT]
service_plugins = firewall_v2

2.network node and computer node's l3_agent.ini config:
[agent]
extensions = fwaas_v2
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True

version:master

Revision history for this message
Wang Weijia (wangweij) wrote :

I have fix it by marking packages of DNAT to this fip.
I add some chains to iptables' mangle table, I will commit it after the previous patch merged. The unit testing code have some dependencies.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.