Mirantis OpenStack

security groups iptables can block legitimate traffic as INVALID

Bug #1515799 reported by Roman Rufanov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Invalid
High
MOS Neutron
Mirantis OpenStack 8.0
5.1.x
Won't Fix
High
Alexey Stupnikov
Mirantis OpenStack 5.0-updates
6.0.x
Won't Fix
High
Denis Puchkin
Mirantis OpenStack 6.0-updates
6.1.x
Fix Released
High
Denis Puchkin
Mirantis OpenStack 6.1-mu-5
7.0.x
Fix Released
High
Denis Puchkin
Mirantis OpenStack 7.0-mu-2

Bug Description

Customer found on 5.1 - upstream bug https://bugs.launchpad.net/neutron/+bug/1460741
Need solution for 5.1 (proposed patch attached)

Revision history for this message
Roman Rufanov (rrufanov) wrote :
tags: added: customer-found support
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

MOS Neutron ,could you please double-check we have the fix in 6.1 and 7.0 branches?

Changed in mos:
status: New → Fix Released
assignee: nobody → MOS Neutron (mos-neutron)
milestone: none → 8.0
importance: Undecided → High
Revision history for this message
Alexander Ignatov (aignatov) wrote :

Invalid, since this fix just got from stable/liberty from the beggining

Changed in mos:
status: Fix Released → Invalid
Revision history for this message
Alexander Ignatov (aignatov) wrote :

Confirmed that fix doesn't exist in 6.0 and 7.0 branches. Need to backport it https://review.openstack.org/#/q/Ie6ce5f3fa688f1bf25b77db5955211922d9fe85b,n,z from corresponding branches

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/neutron (openstack-ci/fuel-6.0-updates/2014.2)

Fix proposed to branch: openstack-ci/fuel-6.0-updates/2014.2
Change author: Kevin Benton <email address hidden>
Review: https://review.fuel-infra.org/14559

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/neutron (openstack-ci/fuel-6.1/2014.2)

Fix proposed to branch: openstack-ci/fuel-6.1/2014.2
Change author: Kevin Benton <email address hidden>
Review: https://review.fuel-infra.org/14560

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/neutron (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Kevin Benton <email address hidden>
Review: https://review.fuel-infra.org/14561

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/neutron (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/14561
Submitter: Denis V. Meltsaykin <email address hidden>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: a8a3a7c8ce21c5a5297255287314efa244b49137
Author: Kevin Benton <email address hidden>
Date: Tue Dec 22 11:19:34 2015

Process user iptables rules before INVALID

Process user-defined iptables rules before the INVALID DROP
rule. This is to allow scenarios where the VMs need to
legitimately receive packets that conntrack doesn't have an
entry for (e.g. SYN-ACK where the SYN wasn't sent by the VM).
A user can accomplish this by adding an allow rule that matches
the headers of these INVALID packets so they get permitted before
they hit the INVALID DROP rule.

Closes-Bug: #1515799
Cherry-pick from 2f85b22d84244e8785389144232f446afd24db6b
Change-Id: Ie6ce5f3fa688f1bf25b77db5955211922d9fe85b

Vadim Rovachev (vrovachev)
tags: added: on-verification
Revision history for this message
Vadim Rovachev (vrovachev) wrote :

Verified on 7.0 Ubuntu with installed mirror packages:
http://perestroika-repo-tst.infra.mirantis.net/review/CR-14561/mos-repos/ubuntu/7.0/dists/mos7.0-proposed/

Before apply patch we have next rules:
...
-A neutron-openvswi-iac16f023-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-iac16f023-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
...

After apply patch we have next rules:
...
-A neutron-openvswi-o9ceef79b-3 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o9ceef79b-3 -j RETURN
-A neutron-openvswi-o9ceef79b-3 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
...

tags: removed: on-verification
Olena Logvinova (ologvinova)
tags: added: 7.0-mu-2
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/neutron (openstack-ci/fuel-6.1/2014.2)

Reviewed: https://review.fuel-infra.org/14560
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-6.1/2014.2

Commit: c6452a712e2cdd7b66329cd2cdaf41f9ce7027f1
Author: Kevin Benton <email address hidden>
Date: Thu Dec 10 14:30:46 2015

Process user iptables rules before INVALID

Process user-defined iptables rules before the INVALID DROP
rule. This is to allow scenarios where the VMs need to
legitimately receive packets that conntrack doesn't have an
entry for (e.g. SYN-ACK where the SYN wasn't sent by the VM).
A user can accomplish this by adding an allow rule that matches
the headers of these INVALID packets so they get permitted before
they hit the INVALID DROP rule.

Closes-Bug: #1515799

Cherry-pick from 58904f3626cdf09006bbb8ac9e60f9a24298f01e
Change-Id: Ie6ce5f3fa688f1bf25b77db5955211922d9fe85b

Ekaterina Shutova (eshutova)
tags: added: on-verification
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on 6.1-mu-5.

Before updates:
-A neutron-openvswi-o52106b84-0 -m state --state INVALID -j DROP
-A neutron-openvswi-o52106b84-0 -m state --state RELATED,ESTABLISHED -j RETURN

After updates:
-A neutron-openvswi-o36a5711d-3 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o36a5711d-3 -j RETURN
-A neutron-openvswi-o36a5711d-3 -m state --state INVALID -j DROP

tags: removed: on-verification
Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Set this bug's status to Won't fix (wontfix-low) since 5.1.1 is now in Limited support status and only security fixes are accepted.

tags: added: wontfix-low
Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Set this bug's status to Won't fix (wontfix-low) since 6.0 is now in Limited support status and only security fixes are accepted.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/neutron (openstack-ci/fuel-6.0-updates/2014.2)

Change abandoned by Alexander Ignatov <email address hidden> on branch: openstack-ci/fuel-6.0-updates/2014.2
Review: https://review.fuel-infra.org/14559
Reason: Too old patch, not required anymore.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.