neutron

Security groups don't work for trunk ports with iptables_hybrid fw driver

Bug #1838760 reported by Slawek Kaplonski
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
High
Slawek Kaplonski

Bug Description

When iptables_hybrid firewall driver is used, security groups don't work for trunk ports as vlan tagged packes on qbr bridge aren't filtered by default at all.

I found it when I was trying to add new CI job https://review.opendev.org/#/c/670738/ and I noticed that this job is failing constantly on Queens release.

On Rocky and newer this new job is fine and the difference between those jobs is firewall_driver - since rocky we are using openvswitch fw driver instead of iptables_hybrid. I also confirmed locally that when I switched firewall driver to openvswitch, same test worked fine for me.

I did some debugging on Queens release locally and it looks that flag /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged should be set to 1 to make it possible to filter vlan tagged traffic in iptables, see https://ebtables.netfilter.org/documentation/bridge-nf.html for details.

But even if this knob is switched to "1", there are probably bigger changes required as vlan header which belongs to those packets should be included in iptables rules to match on proper packets.

My test was done on stable/queens branch of neutron but I'm pretty sure that the same issue exists still in master. We simply don't see it as we are testing it with openvswitch fw driver.

Tags: sg-fw trunk
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Some info about how this could be configured is also on https://stackoverflow.com/questions/40474073/filtering-out-vlan-tagged-packets-on-linux-bridge

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Security groups for trunk ports are not supported with iptables_hybrid driver and that is documented limitation.
According to our discussion on neutron meeting here is the plan for that:

1. update docs to write this info in more visible place(s) also, 2. fix tempest test to not run this part (or this test) on unsupported configuration, 3. Try to do some more "in Your face" change as tidwellr proposed

Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
Revision history for this message
Bence Romsics (bence-romsics) wrote :

We have a change for (1): https://review.opendev.org/681250

IMHO (2) is not really possible since a tempest test by definition should not know about which driver is loaded. Unless we want to control this from tempest config which sounds quite ugly. So I don't see how we can do anything better then what Slawek already did here: https://opendev.org/openstack/neutron-tempest-plugin/src/commit/4e0a3d3913480691594ed28c23f11f281aebb0a5/.zuul.yaml#L444

(3) There's already something in place for this too: https://opendev.org/openstack/neutron/src/commit/aacc828131986aa8e79462ea793b953dbd678ac3/neutron/services/trunk/drivers/openvswitch/agent/driver.py#L86 Unless we do the "lot more work" referred there to push this error into the trunk create response we can't really do better.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/683853
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=62329269af17ad188e7b53c85ee99225ee647982
Submitter: Zuul
Branch: master

commit 62329269af17ad188e7b53c85ee99225ee647982
Author: Slawek Kaplonski <email address hidden>
Date: Mon Sep 23 09:28:29 2019 +0200

    Disable scenario test for trunk subports connectivity on Queens

    On Queens release by default iptables-hybrid firewall driver is used.
    Using trunks with iptables-hybrid driver is not supported so we need
    to skip test
    neutron_tempest_plugin.scenario.test_trunk.TrunkTest.test_subport_connectivity
    on Queens jobs.

    Change-Id: Id212c35b71ca9e9af1ea546483c14fd597d895a8
    Related-Bug: #1838760

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/711879

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/711879
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=188f06a316e940e9eed29108c8e17d7b5c323de4
Submitter: Zuul
Branch: master

commit 188f06a316e940e9eed29108c8e17d7b5c323de4
Author: Bernard Cafarelli <email address hidden>
Date: Mon Mar 9 10:14:07 2020 +0100

    Disable trunk subports connectivity test on Rocky iptables_hybrid job

    Recent Rocky backports fail
    neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-rocky job
    and as mentioned in linked bug, this is expected as using trunks with
    iptables-hybrid driver is not supported.

    Add the test to the job blacklist

    Change-Id: Iba083f66a4df8ecce23be07ec017d7dfc78406db
    Related-Bug: #1838760

Revision history for this message
Bence Romsics (bence-romsics) wrote :

I believe regarding this bug report what could be done, has been done. Other fixes are not going to happen, therefore I'm setting this to Won't Fix, to clean up the open bug list.

Changed in neutron:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.