Bug 1429331

Summary: iptables rule blocks traffic even with port_security_enabled set to False
Product: Red Hat OpenStack Reporter: Masaki Furuta ( RH ) <mfuruta>
Component: openstack-neutronAssignee: Daniel Alvarez Sanchez <dalvarez>
Status: CLOSED ERRATA QA Contact: Eran Kuris <ekuris>
Severity: high Docs Contact:
Priority: high    
Version: 9.0 (Mitaka)CC: adhingra, amaumene, amuller, asimonel, bcafarel, bschmaus, chrisw, cpaquin, dalvarez, ekuris, jlibosva, jschluet, k-akuta, mlopes, mschuppe, nyechiel, oblaut, pablo.iranzo, pmannidi, ragiman, sputhenp, srevivo, tbonds
Target Milestone: asyncKeywords: Triaged, ZStream
Target Release: 9.0 (Mitaka)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-neutron-8.3.0-4.el7ost Doc Type: Bug Fix
Doc Text:
Previously, when ports were created with port_security disabled, the explicit iptables rules were not applied to allow the traffic. This resulted in packets hitting a default REJECT rule, and all traffic was blocked. With this fix, firewall rules are correctly installed on ports with port_security disabled and traffic is allowed.
 Story Points: ---
Clone Of: 1406263 Environment:
Last Closed: 2017-03-30 19:35:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1406263    
Bug Blocks: 1369066    

Comment 1 Masaki Furuta ( RH ) 2017-03-06 06:43:13 UTC 
This was done in upstream here:

- https://bugs.launchpad.net/neutron/+bug/1549443/comments/31

~~~
OpenStack Infra (hudson-openstack) wrote on 2017-03-04: Fix merged to neutron (stable/mitaka)	#31
Reviewed: https://review.openstack.org/440850
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d146d0e79c5411f7b156cae2085b17ef10d671f
Submitter: Jenkins
Branch: stable/mitaka

commit 3d146d0e79c5411f7b156cae2085b17ef10d671f
Author: Bernard Cafarelli <email address hidden>
Date: Thu Jan 19 14:14:12 2017 +0100

    Revert "Setup firewall filters only for required ports"

    This reverts commit 75edc1ff28a460342a9b5e5b7d63c6f4fb59862d.

    Ports with port security disabled require firewall entries in
    neutron-openvswi-FORWARD chain to work properly.
    Ports created with no security groups will not get skipped with current
    code.
    With fixed security groups check, these ports' security groups can not
    be updated after creation.

    Closes-Bug: #1549443

    Conflicts:
     neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
     neutron/tests/functional/agent/l2/base.py
     neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py

    Change-Id: I95ddbe38d8ac8a927a860a98f54e41e17fb71d43
    (cherry picked from commit a8b6a597b6aab7cd3b0a5d0c3baad75af395fe1d)

tags:	added: in-stable-mitaka
~~~
Comment 4 Assaf Muller 2017-03-06 11:15:15 UTC 
Approved for hotfix for NEC.
Comment 5 Daniel Alvarez Sanchez 2017-03-06 11:27:28 UTC 
Package is built and doc flags updated.
Comment 7 ykawada 2017-03-08 07:56:18 UTC 
*** Bug 1428782 has been marked as a duplicate of this bug. ***
Comment 9 Eran Kuris 2017-03-21 09:37:03 UTC 
9   -p 2017-03-17.1
$ rpm -qa |grep openstack-neutron-8
openstack-neutron-8.3.0-5.el7ost.noarch


verified and fixed 

steps -
1. neutron net-create net-64-2 --port_security_enabled false
2. neutron subnet-create net-64-2 10.0.5.0/24 --name subnet_4 --enable_dhcp true
3. neutron router-create Router_eNet
4. neutron router-interface-add Router_eNet  dd073541-b444-4ab6-8187-346d7a8eb96a
5. neutron router-gateway-set Router_eNet 25df8c01-0632-4b49-ac8c-31d0155bfb0e
6. nova boot --flavor 3 --image cirros VM1 --nic net-id=551f3ab9-2292-4d43-b8bd-b7bd59951799
7. neutron port-show 104ab04f-3b1f-408e-bee0-10ba0d6dab35 |grep security
verify  port_security_enabled = False
8. connectivity check from qrouter to VM1 
ip net exec qrouter-5d10b101-4bc5-4261-aa3d-9c192e85ee06 ping 10.0.5.3
Comment 11 errata-xmlrpc 2017-03-30 19:35:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0856
Comment 12 Benjamin Schmaus 2017-04-03 12:56:17 UTC 
Clear INFO