This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1269849 - security groups iptables can block legitimate traffic as INVALID
security groups iptables can block legitimate traffic as INVALID
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron (Show other bugs)
7.0 (Kilo)
x86_64 Linux
high Severity high
: z3
: 7.0 (Kilo)
Assigned To: Nir Magnezi
Eran Kuris
: ZStream
Depends On: 1268413 1338971
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-08 07:00 EDT by Nir Magnezi
Modified: 2016-05-23 14:42 EDT (History)
14 users (show)

See Also:
Fixed In Version: openstack-neutron-2015.1.1-13.el7ost
Doc Type: Bug Fix
Doc Text:
Prior to this update, the Linux iptables implementation of security groups included a default rule to drop any INVALID packets. Consequently, it was possible that iptables could block legitimate traffic as INVALID, such as SCTP protocol. This update address this issue by processing user-defined iptables rules before the INVALID DROP rule.
Story Points: ---
Clone Of: 1268413
Environment:
Last Closed: 2015-12-21 11:58:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
nmagnezi: needinfo-
nmagnezi: needinfo-


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1460741 None None None Never
OpenStack gerrit 218517 None None None Never
OpenStack gerrit 231928 None None None Never

  None (edit)
Comment 1 Jakub Libosvar 2015-10-14 11:01:13 EDT
This bug should be targeted to RHOS 7, we have bug 1268413 for RHOS 6. Re-setting
Comment 3 Eran Kuris 2015-11-23 02:32:56 EST
Need info to reproduce the issue there is no explanation how to try to reproduce the issue .
Comment 4 Eran Kuris 2015-11-23 04:21:49 EST
verified on OSP-7 puddle 2015-11-20.2
[root@puma06 ~(keystone_admin)]# sudo iptables -nvL  neutron-openvswi-of216d9d9-f --line-numbers
Chain neutron-openvswi-of216d9d9-f (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        2   656 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
2      257 22268 neutron-openvswi-sf216d9d9-f  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
4      141 12300 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
5      116  9968 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
6        0     0 RETURN     sctp --  *      *       0.0.0.0/0            0.0.0.0/0           
7        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
8        0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */
Comment 9 errata-xmlrpc 2015-12-21 11:58:54 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:2652

Note You need to log in before you can comment on or make changes to this bug.