neutron

masquerading behavior changed between queens and train

Bug #1987396 reported by David Hill
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
David Hill

Bug Description

masquerading behavior changed beteen queens and train following [1] implementation of random-fully to solve another issue. Now, the source port is remapped randomly to some undeterminisitc value in order to avoid a racy tuple generation in the kernel but this has for effect that a firewall between openstack routers and the destination service that relies on source_ip:source_port for this no longer works. There're many other custom applications that could be using that information in their internal functions

[1] https://review.opendev.org/c/openstack/neutron/+/636473

OpenStack Infra (hudson-openstack)
Changed in neutron:
status: New → In Progress
David Hill (david-hill-ubisoft)
Changed in neutron:
status: In Progress → Confirmed
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → David Hill (david-hill-ubisoft)
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Confirmed → In Progress
Slawek Kaplonski (slaweq)
summary: - masquerading behavior changed beteen queens and train
+ masquerading behavior changed between queens and train
Changed in neutron:
importance: Undecided → High
importance: High → Medium
Revision history for this message
Lajos Katona (lajos-katona) wrote :

Related patch (for some reason launchpad haven't noticed it):
https://review.opendev.org/c/openstack/neutron/+/854041

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/854041
Committed: https://opendev.org/openstack/neutron/commit/bbefe5285e7ab799422fab81488f57c9c22769b6
Submitter: "Zuul (22348)"
Branch: master

commit bbefe5285e7ab799422fab81488f57c9c22769b6
Author: David Hill <email address hidden>
Date: Mon Aug 22 17:03:49 2022 -0400

    Allow operator to disable usage of random-fully

    In some specific use case, the cloud operator expects the source port
    of a packet to stay the same across all masquerading layer up to the
    destination host. With the implementation of the random-fully code,
    this behavior was changed as source_port is always rewritten no matter
    which type of architecture / network CIDRs is being used in the backend.
    This setting allows a user to fallback to the original behavior of the
    masquerading process which is to keep the source_port consistent across
    all layers. The initial random-fully fix prevents packet drops when
    duplicate tuples are generated from two different namespace when the
    source_ip:source_port goes toward the same destination so enabling this
    setting would allow this issue to show again. Perhaps a right approach
    here would be to fix this "racey" situation in the kernel by perhaps
    using the mac address as a seed to the tuple ...

    Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
    Closes-bug: #1987396

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/854795

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/854795
Committed: https://opendev.org/openstack/neutron/commit/fa77abbc153dcf040a95f6a001d6661e07c25096
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit fa77abbc153dcf040a95f6a001d6661e07c25096
Author: David Hill <email address hidden>
Date: Mon Aug 22 17:03:49 2022 -0400

    Allow operator to disable usage of random-fully

    In some specific use case, the cloud operator expects the source port
    of a packet to stay the same across all masquerading layer up to the
    destination host. With the implementation of the random-fully code,
    this behavior was changed as source_port is always rewritten no matter
    which type of architecture / network CIDRs is being used in the backend.
    This setting allows a user to fallback to the original behavior of the
    masquerading process which is to keep the source_port consistent across
    all layers. The initial random-fully fix prevents packet drops when
    duplicate tuples are generated from two different namespace when the
    source_ip:source_port goes toward the same destination so enabling this
    setting would allow this issue to show again. Perhaps a right approach
    here would be to fix this "racey" situation in the kernel by perhaps
    using the mac address as a seed to the tuple ...

    Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
    Closes-bug: #1987396
    (cherry picked from commit bbefe5285e7ab799422fab81488f57c9c22769b6)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/854808

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/854993

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/854994

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron/+/854995

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/neutron/+/854996

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/854808
Committed: https://opendev.org/openstack/neutron/commit/9985e7ddaf82d384336db77e93d6c46d122df39b
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 9985e7ddaf82d384336db77e93d6c46d122df39b
Author: David Hill <email address hidden>
Date: Mon Aug 22 17:03:49 2022 -0400

    Allow operator to disable usage of random-fully

    In some specific use case, the cloud operator expects the source port
    of a packet to stay the same across all masquerading layer up to the
    destination host. With the implementation of the random-fully code,
    this behavior was changed as source_port is always rewritten no matter
    which type of architecture / network CIDRs is being used in the backend.
    This setting allows a user to fallback to the original behavior of the
    masquerading process which is to keep the source_port consistent across
    all layers. The initial random-fully fix prevents packet drops when
    duplicate tuples are generated from two different namespace when the
    source_ip:source_port goes toward the same destination so enabling this
    setting would allow this issue to show again. Perhaps a right approach
    here would be to fix this "racey" situation in the kernel by perhaps
    using the mac address as a seed to the tuple ...

    Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
    Closes-bug: #1987396
    (cherry picked from commit bbefe5285e7ab799422fab81488f57c9c22769b6)
    (cherry picked from commit fa77abbc153dcf040a95f6a001d6661e07c25096)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/854995
Committed: https://opendev.org/openstack/neutron/commit/e7f8b93a8a2159b59c94657400da86cebf7b450f
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit e7f8b93a8a2159b59c94657400da86cebf7b450f
Author: David Hill <email address hidden>
Date: Mon Aug 22 17:03:49 2022 -0400

    Allow operator to disable usage of random-fully

    In some specific use case, the cloud operator expects the source port
    of a packet to stay the same across all masquerading layer up to the
    destination host. With the implementation of the random-fully code,
    this behavior was changed as source_port is always rewritten no matter
    which type of architecture / network CIDRs is being used in the backend.
    This setting allows a user to fallback to the original behavior of the
    masquerading process which is to keep the source_port consistent across
    all layers. The initial random-fully fix prevents packet drops when
    duplicate tuples are generated from two different namespace when the
    source_ip:source_port goes toward the same destination so enabling this
    setting would allow this issue to show again. Perhaps a right approach
    here would be to fix this "racey" situation in the kernel by perhaps
    using the mac address as a seed to the tuple ...

    Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
    Closes-bug: #1987396
    (cherry picked from commit bbefe5285e7ab799422fab81488f57c9c22769b6)
    (cherry picked from commit fa77abbc153dcf040a95f6a001d6661e07c25096)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/854993
Committed: https://opendev.org/openstack/neutron/commit/336bb4d3fcb38770fd3965046df32471efa6269c
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 336bb4d3fcb38770fd3965046df32471efa6269c
Author: David Hill <email address hidden>
Date: Mon Aug 22 17:03:49 2022 -0400

    Allow operator to disable usage of random-fully

    In some specific use case, the cloud operator expects the source port
    of a packet to stay the same across all masquerading layer up to the
    destination host. With the implementation of the random-fully code,
    this behavior was changed as source_port is always rewritten no matter
    which type of architecture / network CIDRs is being used in the backend.
    This setting allows a user to fallback to the original behavior of the
    masquerading process which is to keep the source_port consistent across
    all layers. The initial random-fully fix prevents packet drops when
    duplicate tuples are generated from two different namespace when the
    source_ip:source_port goes toward the same destination so enabling this
    setting would allow this issue to show again. Perhaps a right approach
    here would be to fix this "racey" situation in the kernel by perhaps
    using the mac address as a seed to the tuple ...

    Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
    Closes-bug: #1987396
    (cherry picked from commit bbefe5285e7ab799422fab81488f57c9c22769b6)
    (cherry picked from commit fa77abbc153dcf040a95f6a001d6661e07c25096)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/854996
Committed: https://opendev.org/openstack/neutron/commit/04e4a97742f0a12137fe7ae9d4f3af91a9125862
Submitter: "Zuul (22348)"
Branch: stable/train

commit 04e4a97742f0a12137fe7ae9d4f3af91a9125862
Author: David Hill <email address hidden>
Date: Mon Aug 22 17:03:49 2022 -0400

    Allow operator to disable usage of random-fully

    In some specific use case, the cloud operator expects the source port
    of a packet to stay the same across all masquerading layer up to the
    destination host. With the implementation of the random-fully code,
    this behavior was changed as source_port is always rewritten no matter
    which type of architecture / network CIDRs is being used in the backend.
    This setting allows a user to fallback to the original behavior of the
    masquerading process which is to keep the source_port consistent across
    all layers. The initial random-fully fix prevents packet drops when
    duplicate tuples are generated from two different namespace when the
    source_ip:source_port goes toward the same destination so enabling this
    setting would allow this issue to show again. Perhaps a right approach
    here would be to fix this "racey" situation in the kernel by perhaps
    using the mac address as a seed to the tuple ...

    Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
    Closes-bug: #1987396
    (cherry picked from commit bbefe5285e7ab799422fab81488f57c9c22769b6)
    (cherry picked from commit fa77abbc153dcf040a95f6a001d6661e07c25096)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.0.0.0rc1

This issue was fixed in the openstack/neutron 21.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/854994
Committed: https://opendev.org/openstack/neutron/commit/553777c52d0fbfa18a1830d41ac018d2e1dc8282
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 553777c52d0fbfa18a1830d41ac018d2e1dc8282
Author: David Hill <email address hidden>
Date: Mon Aug 22 17:03:49 2022 -0400

    Allow operator to disable usage of random-fully

    In some specific use case, the cloud operator expects the source port
    of a packet to stay the same across all masquerading layer up to the
    destination host. With the implementation of the random-fully code,
    this behavior was changed as source_port is always rewritten no matter
    which type of architecture / network CIDRs is being used in the backend.
    This setting allows a user to fallback to the original behavior of the
    masquerading process which is to keep the source_port consistent across
    all layers. The initial random-fully fix prevents packet drops when
    duplicate tuples are generated from two different namespace when the
    source_ip:source_port goes toward the same destination so enabling this
    setting would allow this issue to show again. Perhaps a right approach
    here would be to fix this "racey" situation in the kernel by perhaps
    using the mac address as a seed to the tuple ...

    Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
    Closes-bug: #1987396
    (cherry picked from commit bbefe5285e7ab799422fab81488f57c9c22769b6)
    (cherry picked from commit fa77abbc153dcf040a95f6a001d6661e07c25096)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.6.0

This issue was fixed in the openstack/neutron 18.6.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.5.0

This issue was fixed in the openstack/neutron 19.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.3.0

This issue was fixed in the openstack/neutron 20.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron train-eol

This issue was fixed in the openstack/neutron train-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron ussuri-eol

This issue was fixed in the openstack/neutron ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron victoria-eom

This issue was fixed in the openstack/neutron victoria-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.