Bug #1897580 “SG rules aren't properly applied if CIDR of the te...” : Bugs : neutron

Lajos Katona (lajos-katona) on 2020-09-29

tags:

added: sg-fw

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2020-09-29:

#1

Hi,
I checked with ubunt20.04, latest master and devstack, and for me with hybrid firewall driver the rules are created.

$ ip -o a
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever
1: lo inet6 ::1/128 scope host \ valid_lft forever preferred_lft forever
2: ens4 inet 100.109.0.15/16 brd 100.109.255.255 scope global dynamic ens4\ valid_lft 2852sec preferred_lft 2852sec
...
$ grep -ni firewall /etc/neutron/plugins/ml2/ml2_conf.ini
299:firewall_driver = iptables_hybrid

$ openstack network create net0
...

$ openstack subnet create --network net0 --subnet-range 100.109.0.0/24 subnet0
...

$ openstack port create --network net0 --host focalcont --fixed-ip subnet=subnet0,ip-address=100.109.0.13 port0
.....

$ openstack server create --flavor c1 --image cirros-0.5.1-x86_64-disk --nic port-id=port0 --wait
...
$ openstack server list
+--------------------------------------+------+--------+--------------------------------------------------------+------------------------------------+-----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+------+--------+--------------------------------------------------------+------------------------------------+-----------+
| 98a3af45-3c4f-4fa6-9dd6-3201193d978f | vm0 | ACTIVE | net0=100.109.0.13, 100.109.1.222 | cirros-0.5.1-x86_64-disk | cirros256 |

$ sudo ip netns exec qdhcp-370d3c94-ad54-42ed-bc4b-717fd4431c20 ping 100.109.0.13
PING 100.109.0.13 (100.109.0.13) 56(84) bytes of data.
^C
--- 100.109.0.13 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2046ms

$ ping 100.109.1.222
PING 100.109.1.222 (100.109.1.222) 56(84) bytes of data.
^C
--- 100.109.1.222 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5099ms

$ openstack security group rule create 04388ee4-c6bf-4696-8fd5-75cf1cca3a18 --egress --protocol icmp
...
$ openstack security group rule create 04388ee4-c6bf-4696-8fd5-75cf1cca3a18 --ingress --protocol icmp
....

$ ping 100.109.1.222
PING 100.109.1.222 (100.109.1.222) 56(84) bytes of data.
64 bytes from 100.109.1.222: icmp_seq=1 ttl=63 time=3.77 ms
64 bytes from 100.109.1.222: icmp_seq=2 ttl=63 time=1.77 ms
64 bytes from 100.109.1.222: icmp_seq=3 ttl=63 time=1.69 ms
^C
--- 100.109.1.222 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.690/2.408/3.766/0.960 ms

$ sudo ip netns exec qdhcp-370d3c94-ad54-42ed-bc4b-717fd4431c20 ping 100.109.0.13
PING 100.109.0.13 (100.109.0.13) 56(84) bytes of data.
64 bytes from 100.109.0.13: icmp_seq=1 ttl=64 time=1.20 ms
64 bytes from 100.109.0.13: icmp_seq=2 ttl=64 time=0.996 ms
64 bytes from 100.109.0.13: icmp_seq=3 ttl=64 time=0.735 ms
^C
--- 100.109.0.13 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.735/0.975/1.195/0.188 ms

iptables rules before and after:
http://paste.openstack.org/show/798508/

Hi,
I checked with ubunt20.04, latest master and devstack, and for me with hybrid firewall driver the rules are created.

$ ip -o a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
1: lo    inet6 ::1/128 scope host \       valid_lft forever preferred_lft forever
2: ens4    inet 100.109.0.15/16 brd 100.109.255.255 scope global dynamic ens4\       valid_lft 2852sec preferred_lft 2852sec
...
$ grep -ni firewall /etc/neutron/plugins/ml2/ml2_conf.ini 
299:firewall_driver = iptables_hybrid

$ openstack network create net0
...

$ openstack subnet create --network net0 --subnet-range 100.109.0.0/24 subnet0
...

$ openstack port create --network net0 --host focalcont --fixed-ip subnet=subnet0,ip-address=100.109.0.13 port0
.....

$ openstack server create --flavor c1 --image cirros-0.5.1-x86_64-disk --nic port-id=port0 --wait
...
$ openstack server list
+--------------------------------------+------+--------+--------------------------------------------------------+------------------------------------+-----------+
| ID                                   | Name | Status | Networks                                               | Image                              | Flavor    |
+--------------------------------------+------+--------+--------------------------------------------------------+------------------------------------+-----------+
| 98a3af45-3c4f-4fa6-9dd6-3201193d978f | vm0  | ACTIVE | net0=100.109.0.13, 100.109.1.222                       | cirros-0.5.1-x86_64-disk           | cirros256 |

$ sudo ip netns exec qdhcp-370d3c94-ad54-42ed-bc4b-717fd4431c20 ping 100.109.0.13
PING 100.109.0.13 (100.109.0.13) 56(84) bytes of data.
^C
--- 100.109.0.13 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2046ms

$ ping 100.109.1.222
PING 100.109.1.222 (100.109.1.222) 56(84) bytes of data.
^C
--- 100.109.1.222 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5099ms

$ openstack security group rule create 04388ee4-c6bf-4696-8fd5-75cf1cca3a18 --egress --protocol icmp
...
$ openstack security group rule create 04388ee4-c6bf-4696-8fd5-75cf1cca3a18 --ingress --protocol icmp
....

$ ping 100.109.1.222
PING 100.109.1.222 (100.109.1.222) 56(84) bytes of data.
64 bytes from 100.109.1.222: icmp_seq=1 ttl=63 time=3.77 ms
64 bytes from 100.109.1.222: icmp_seq=2 ttl=63 time=1.77 ms
64 bytes from 100.109.1.222: icmp_seq=3 ttl=63 time=1.69 ms
^C
--- 100.109.1.222 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.690/2.408/3.766/0.960 ms

$ sudo ip netns exec qdhcp-370d3c94-ad54-42ed-bc4b-717fd4431c20 ping 100.109.0.13
PING 100.109.0.13 (100.109.0.13) 56(84) bytes of data.
64 bytes from 100.109.0.13: icmp_seq=1 ttl=64 time=1.20 ms
64 bytes from 100.109.0.13: icmp_seq=2 ttl=64 time=0.996 ms
64 bytes from 100.109.0.13: icmp_seq=3 ttl=64 time=0.735 ms
^C
--- 100.109.0.13 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.735/0.975/1.195/0.188 ms

iptables rules before and after:
http://paste.openstack.org/show/798508/

Changed in neutron:
status:	New → Incomplete

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2020-09-29:

#2

Could you check my results, please

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2020-09-29:

#3

Hi Lajos:

Maybe I missed one comment: the IP of the OpenStack port should match one of the IP addresses used in the host. I think (but I didn't check it) that because this IP is in /etc/hosts, iptables is resolving the name and not setting correctly the rule.

Regards.

Revision history for this message

Brian Haley (brian-haley) wrote on 2020-09-29:

#4

AFAIK the iptables SG code will not use a host name, only the IP, and since it's calling iptables-save/restore I don't think it will resolve it either.

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2020-10-04:

#5

Rodolfo: I check it again next week.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-12-04:

#6

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

neutron

SG rules aren't properly applied if CIDR of the tenant network is also matches the host network CIDR

Bug Description

Other bug subscribers

Remote bug watches