neutron

Bug #1813439
Comment #0

Comment 0 for bug 1813439

Revision history for this message

Guangyu Suo (yugsuo) wrote on 2019-01-27: an instance can see other instances' unicast packages when security group firewall_driver is openvswitch

We found that instances on the same host can see each others' unicast packages out to instances on the different host if these instances are on the same subnet when security group firewall_driver is openvswitch.

# How to reproduce

1. create 3 vms on the same subnet, no matter vlan or vxlan, called them vm1, vm2, vm3:

vm1: 192.168.100.3 (compute 1)
vm2: 192.168.100.12 (compute 1)
vm3: 192.168.100.17 (compute 2)

vm1 and vm2 are on the same host, while vm3 is on the other host.

2. ping vm3 from vm2

3. tcpdump eth0 on vm1, you will see icmp request packages from vm2 to vm3 are captured

# tcpdump -enni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:01:59.361792 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 4, length 64
09:02:00.361772 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 5, length 64
09:02:01.361785 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 6, length 64
09:02:02.361798 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 7, length 64

4. ping vm2 from vm3

5. tcpdump eth0 on vm1, you will see icmp reply packages from vm2 to vm3 are captured

# tcpdump -enni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:03:39.608748 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 3, length 64
09:03:40.609475 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 4, length 64
09:03:41.609444 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 5, length 64

TCP/UDP packages have the same problem, this will have performance issue and security problem on the production. This will not happen when the security group firewall driver is iptables_hybrid or disable port security.

# Versions

I am testing this on N and R release, both have the same problem, the R release neutron package versions are:

openstack-neutron-ml2-13.0.2-1.el7.noarch
openstack-neutron-openvswitch-13.0.2-1.el7.noarch
python2-neutronclient-6.9.1-1.el7.noarch
openstack-neutron-common-13.0.2-1.el7.noarch
openstack-neutron-fwaas-13.0.1-1.el7.noarch
openstack-neutron-13.0.2-1.el7.noarch
openstack-neutron-lbaas-13.0.0-1.el7.noarch
python2-neutron-lib-1.18.0-1.el7.noarch
python-neutron-lbaas-13.0.0-1.el7.noarch
python-neutron-13.0.2-1.el7.noarch
python-neutron-fwaas-13.0.1-1.el7.noarch

and the operating system and kernel are:

[root@node-30 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

[root@node-30 ~]# uname -a
Linux node-30 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon Jul 16 16:29:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

and the openvswitch version is :

openvswitch-2.9.0-3.el7.x86_64

# How to reproduce

1. create 3 vms on the same subnet, no matter vlan or vxlan, called them vm1, vm2, vm3:

vm1: 192.168.100.3 (compute 1)
vm2: 192.168.100.12 (compute 1)
vm3: 192.168.100.17 (compute 2)

vm1 and vm2 are on the same host, while vm3 is on the other host.

2. ping vm3 from vm2

3. tcpdump eth0 on vm1, you will see icmp request packages from vm2 to vm3 are captured

4. ping vm2 from vm3

5. tcpdump eth0 on vm1, you will see icmp reply packages from vm2 to vm3 are captured

# tcpdump -enni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:03:39.608748 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 3, length 64
09:03:40.609475 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 4, length 64
09:03:41.609444 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 5, length 64

# Versions

I am testing this on N and R release, both have the same problem, the R release neutron package versions are:

and the operating system and kernel are:

[root@node-30 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

[root@node-30 ~]# uname -a
Linux node-30 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon Jul 16 16:29:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

and the openvswitch version is :

openvswitch-2.9.0-3.el7.x86_64