Security groups don't work for trunk ports with iptables_hybrid fw driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
High
|
Slawek Kaplonski |
Bug Description
When iptables_hybrid firewall driver is used, security groups don't work for trunk ports as vlan tagged packes on qbr bridge aren't filtered by default at all.
I found it when I was trying to add new CI job https:/
On Rocky and newer this new job is fine and the difference between those jobs is firewall_driver - since rocky we are using openvswitch fw driver instead of iptables_hybrid. I also confirmed locally that when I switched firewall driver to openvswitch, same test worked fine for me.
I did some debugging on Queens release locally and it looks that flag /proc/sys/
But even if this knob is switched to "1", there are probably bigger changes required as vlan header which belongs to those packets should be included in iptables rules to match on proper packets.
My test was done on stable/queens branch of neutron but I'm pretty sure that the same issue exists still in master. We simply don't see it as we are testing it with openvswitch fw driver.
Some info about how this could be configured is also on https:/ /stackoverflow. com/questions/ 40474073/ filtering- out-vlan- tagged- packets- on-linux- bridge