Bug 1269849 - security groups iptables can block legitimate traffic as INVALID
Summary: security groups iptables can block legitimate traffic as INVALID
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 7.0 (Kilo)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: z3
: 7.0 (Kilo)
Assignee: Nir Magnezi
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On: 1268413 1338971
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-08 11:00 UTC by Nir Magnezi
Modified: 2019-09-12 09:03 UTC (History)
13 users (show)

Fixed In Version: openstack-neutron-2015.1.1-13.el7ost
Doc Type: Bug Fix
Doc Text:
Prior to this update, the Linux iptables implementation of security groups included a default rule to drop any INVALID packets. Consequently, it was possible that iptables could block legitimate traffic as INVALID, such as SCTP protocol. This update address this issue by processing user-defined iptables rules before the INVALID DROP rule.
Clone Of: 1268413
Environment:
Last Closed: 2015-12-21 16:58:54 UTC
Target Upstream Version:
nmagnezi: needinfo-
nmagnezi: needinfo-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1460741 0 None None None Never
OpenStack gerrit 218517 0 None None None Never
OpenStack gerrit 231928 0 None None None Never
Red Hat Product Errata RHBA-2015:2652 0 normal SHIPPED_LIVE openstack-neutron bug fix advisory 2015-12-21 21:50:47 UTC

Comment 1 Jakub Libosvar 2015-10-14 15:01:13 UTC
This bug should be targeted to RHOS 7, we have bug 1268413 for RHOS 6. Re-setting

Comment 3 Eran Kuris 2015-11-23 07:32:56 UTC
Need info to reproduce the issue there is no explanation how to try to reproduce the issue .

Comment 4 Eran Kuris 2015-11-23 09:21:49 UTC
verified on OSP-7 puddle 2015-11-20.2
[root@puma06 ~(keystone_admin)]# sudo iptables -nvL  neutron-openvswi-of216d9d9-f --line-numbers
Chain neutron-openvswi-of216d9d9-f (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        2   656 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
2      257 22268 neutron-openvswi-sf216d9d9-f  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
4      141 12300 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
5      116  9968 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
6        0     0 RETURN     sctp --  *      *       0.0.0.0/0            0.0.0.0/0           
7        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
8        0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

Comment 9 errata-xmlrpc 2015-12-21 16:58:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:2652


Note You need to log in before you can comment on or make changes to this bug.