neutron

Port is reported with 'port_security_enabled=True' without port-security extension

Bug #1863206 reported by Yang Youseok on 2020-02-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Undecided	Unassigned

Bug Description

By default, if admin does not enable 'port_security' extension, all ports are shown that 'port_security_enabled=False'.

However, L2 agent got ports which having 'port_security_enabled=True' incorrectly because if there is no attribute in port object plugin return wrong default value (https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/rpc.py#L162)

I think is there is no attribute 'port_security_enabled', we have to get False by default.

Thanks.

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2020-02-17:

'port_security' extension was implemented so that users can disable port_security completely. If the extension is disabled, the design is that port_security is applied to neutron ports.

> By default, if admin does not enable 'port_security' extension, all ports are shown that 'port_security_enabled=False'.

By design, all ports should be considered as neutron ports whose port security is enabled.

> However, L2 agent got ports which having 'port_security_enabled=True' incorrectly because if there is no attribute in port object plugin return wrong default value (https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/rpc.py#L162)

port_security=True is by design when the port security extension is disabled.

> I think is there is no attribute 'port_security_enabled', we have to get False by default.

As I explained in the above, it is by design. Is there any issue more?

Changed in neutron:
status:	New → Incomplete

Revision history for this message

Yang Youseok (ileixe) wrote on 2020-02-18:

@Akihiro

Thanks Motoki, I did not know it's enabled by default without extension.

If then, I think 'port/network show' should return not attribute 'port_security_enabled=False' without extension.

Now, the commands do return the 'false' value because openstacksdk has default value 'false'. Maybe openstacksdk should be fixed for this issue.

By the way, I reported this bug from ebtable's critcial bug(https://lore.kernel.org/patchwork/patch/834743/) which make our kernel keep crush, so I was trying to find disable ebtables.

Current Neutron also has run ebtables binary to clean the remained rules even without extensions. Is is possible to completely ignore the ebtable at all if user does not turn on extensions?

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2020-02-21:

> Thanks Motoki, I did not know it's enabled by default without extension.
>
> If then, I think 'port/network show' should return not attribute 'port_security_enabled=False' without extension.
>
> Now, the commands do return the 'false' value because openstacksdk has default value 'false'. Maybe openstacksdk should be fixed for this issue.

I believe it is a topic in openstacksdk.
Could you file a bug on openstacksdk?

> By the way, I reported this bug from ebtable's critcial bug(https://lore.kernel.org/patchwork/patch/834743/) which make our kernel keep crush, so I was trying to find disable ebtables.
>
> Current Neutron also has run ebtables binary to clean the remained rules even without extensions. Is is possible to completely ignore the ebtable at all if user does not turn on extensions?

It looks unrelated to this bug. A bug should be used to a single issue. If you think it is a bug, please file a new bug.

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2020-02-21:

It is not a bug in neutron.

Changed in neutron:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.