SG rules aren't properly applied if CIDR of the tenant network is also matches the host network CIDR
Bug #1897580 reported by
Rodolfo Alonso
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
This error happens when using OVS hybrid firewall driver.
Steps to reproduce:
- check Compute's IPs and networks, choose the network and IP address to test this issue. For example: 172.17.3.0/24 -> 172.17.3.29
- create neutron network with appropriate subnet, set DHCP allocation pool properly, so it will include IPs for DHCP agents and the VM itself (or assign fixed IP)
- schedule VM on proper compute node
- create a rule to permit icmp traffic --> no rule is created!
Additional info: http://
tags: | added: sg-fw |
To post a comment you must log in.
Hi,
I checked with ubunt20.04, latest master and devstack, and for me with hybrid firewall driver the rules are created.
$ ip -o a plugins/ ml2/ml2_ conf.ini
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever
1: lo inet6 ::1/128 scope host \ valid_lft forever preferred_lft forever
2: ens4 inet 100.109.0.15/16 brd 100.109.255.255 scope global dynamic ens4\ valid_lft 2852sec preferred_lft 2852sec
...
$ grep -ni firewall /etc/neutron/
299:firewall_driver = iptables_hybrid
$ openstack network create net0
...
$ openstack subnet create --network net0 --subnet-range 100.109.0.0/24 subnet0
...
$ openstack port create --network net0 --host focalcont --fixed-ip subnet= subnet0, ip-address= 100.109. 0.13 port0
.....
$ openstack server create --flavor c1 --image cirros- 0.5.1-x86_ 64-disk --nic port-id=port0 --wait ------- ------- ------- ------- ----+-- ----+-- ------+ ------- ------- ------- ------- ------- ------- ------- ------- +------ ------- ------- ------- ------- --+---- ------- + ------- ------- ------- ------- ----+-- ----+-- ------+ ------- ------- ------- ------- ------- ------- ------- ------- +------ ------- ------- ------- ------- --+---- ------- + 3c4f-4fa6- 9dd6-3201193d97 8f | vm0 | ACTIVE | net0=100.109.0.13, 100.109.1.222 | cirros- 0.5.1-x86_ 64-disk | cirros256 |
...
$ openstack server list
+------
| ID | Name | Status | Networks | Image | Flavor |
+------
| 98a3af45-
$ sudo ip netns exec qdhcp-370d3c94- ad54-42ed- bc4b-717fd4431c 20 ping 100.109.0.13
PING 100.109.0.13 (100.109.0.13) 56(84) bytes of data.
^C
--- 100.109.0.13 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2046ms
$ ping 100.109.1.222
PING 100.109.1.222 (100.109.1.222) 56(84) bytes of data.
^C
--- 100.109.1.222 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5099ms
$ openstack security group rule create 04388ee4- c6bf-4696- 8fd5-75cf1cca3a 18 --egress --protocol icmp c6bf-4696- 8fd5-75cf1cca3a 18 --ingress --protocol icmp
...
$ openstack security group rule create 04388ee4-
....
$ ping 100.109.1.222 408/3.766/ 0.960 ms
PING 100.109.1.222 (100.109.1.222) 56(84) bytes of data.
64 bytes from 100.109.1.222: icmp_seq=1 ttl=63 time=3.77 ms
64 bytes from 100.109.1.222: icmp_seq=2 ttl=63 time=1.77 ms
64 bytes from 100.109.1.222: icmp_seq=3 ttl=63 time=1.69 ms
^C
--- 100.109.1.222 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.690/2.
$ sudo ip netns exec qdhcp-370d3c94- ad54-42ed- bc4b-717fd4431c 20 ping 100.109.0.13 975/1.195/ 0.188 ms
PING 100.109.0.13 (100.109.0.13) 56(84) bytes of data.
64 bytes from 100.109.0.13: icmp_seq=1 ttl=64 time=1.20 ms
64 bytes from 100.109.0.13: icmp_seq=2 ttl=64 time=0.996 ms
64 bytes from 100.109.0.13: icmp_seq=3 ttl=64 time=0.735 ms
^C
--- 100.109.0.13 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.735/0.
iptables rules before and after: paste.openstack .org/show/ 798508/
http://