[security] Add allowed-address-pair 0.0.0.0/0 to one port will open all others' protocol under same security group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Critical
|
LIU Yulong |
Bug Description
[security] Add allowed-
When add allowed-
IPv6 has the same problem!
Devstack test config:
[DEFAULT]
[l2pop]
[ml2]
type_drivers = flat,gre,vlan,vxlan
tenant_
extension_drivers = port_security,qos
mechanism_drivers = openvswitch,
[ml2_type_vxlan]
vni_ranges = 10000:19999
[securitygroup]
firewall_driver = openvswitch
[ovs]
local_ip = 10.0.5.10
[agent]
tunnel_types = vxlan
l2_population = True
arp_responder = True
enable_
extensions = qos
Step to reproduce:
1. Assuming you have following VMs
| 24231705-
| 4865d216-
$ nova interface-list 4865d216-
+------
| Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag |
+------
| ACTIVE | b333b1ca-
+------
$ nova interface-list 24231705-
+------
| Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag |
+------
| ACTIVE | 93197f48-
+------
2. Security group rules
$ openstack security group rule list 535018b5-
| 01015261-
| 36441851-
| 8326f59e-
| e47c6731-
3. Start a nc test server in dvr-ha-vm-2
# nc -l -p 8000
4. Try to curl that dvr-ha-vm-2 port 8000 in the outside world
$ curl http://
curl: (7) Failed connect to 172.16.12.220:8000; Connection timed out
5. Add allowed address pair 0.0.0.0/0 to dvr-ha-vm-1
openstack port set --allowed-address ip-address=
6. Try to curl that dvr-ha-vm-2 port 8000 again
It is connected!!!
# nc -l -p 8000
GET /index.html HTTP/1.1
User-Agent: curl/7.29.0
Host: 172.16.12.220:8000
Accept: */*
asdfasdf
asdfasdf
Changed in neutron: | |
milestone: | none → ussuri-rc1 |
tags: | added: neutron-proactive-backport-potential |
The bug are mostly caused by the openflow security group. We compared the flows after added the 0.0.0.0/0 allowed- addres- pair. These two flows are added to table=82: 70,ct_state= +est-rel- rpl,ip, reg6=0x3 actions= conjunction( 16,1/2) 70,ct_state= +new-est, ip,reg6= 0x3 actions= conjunction( 17,1/2)
> table=82, priority=
> table=82, priority=
Yes, this is the root cause, it will allow almost all ip traffic.