Bug 1429331 - iptables rule blocks traffic even with port_security_enabled set to False
Summary: iptables rule blocks traffic even with port_security_enabled set to False
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 9.0 (Mitaka)
Hardware: All
OS: Linux
high
high
Target Milestone: async
: 9.0 (Mitaka)
Assignee: Daniel Alvarez Sanchez
QA Contact: Eran Kuris
URL:
Whiteboard:
: 1428782 (view as bug list)
Depends On: 1406263
Blocks: 1369066
TreeView+ depends on / blocked
 
Reported: 2017-03-06 06:28 UTC by Masaki Furuta ( RH )
Modified: 2020-05-14 15:42 UTC (History)
23 users (show)

Fixed In Version: openstack-neutron-8.3.0-4.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, when ports were created with port_security disabled, the explicit iptables rules were not applied to allow the traffic. This resulted in packets hitting a default REJECT rule, and all traffic was blocked. With this fix, firewall rules are correctly installed on ports with port_security disabled and traffic is allowed.
Clone Of: 1406263
Environment:
Last Closed: 2017-03-30 19:35:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openstack/neutron-tempest-plugin/blob/master/neutron_tempest_plugin/scenario/test_portsecurity.py 0 None None None 2017-12-24 09:54:18 UTC
OpenStack gerrit 428073 0 None None None 2017-03-06 06:28:16 UTC
Red Hat Product Errata RHBA-2017:0856 0 normal SHIPPED_LIVE openstack-neutron bug fix advisory 2017-03-30 23:34:33 UTC

Comment 1 Masaki Furuta ( RH ) 2017-03-06 06:43:13 UTC 
This was done in upstream here:

- https://bugs.launchpad.net/neutron/+bug/1549443/comments/31

~~~
OpenStack Infra (hudson-openstack) wrote on 2017-03-04: Fix merged to neutron (stable/mitaka)	#31
Reviewed: https://review.openstack.org/440850
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d146d0e79c5411f7b156cae2085b17ef10d671f
Submitter: Jenkins
Branch: stable/mitaka

commit 3d146d0e79c5411f7b156cae2085b17ef10d671f
Author: Bernard Cafarelli <email address hidden>
Date: Thu Jan 19 14:14:12 2017 +0100

    Revert "Setup firewall filters only for required ports"

    This reverts commit 75edc1ff28a460342a9b5e5b7d63c6f4fb59862d.

    Ports with port security disabled require firewall entries in
    neutron-openvswi-FORWARD chain to work properly.
    Ports created with no security groups will not get skipped with current
    code.
    With fixed security groups check, these ports' security groups can not
    be updated after creation.

    Closes-Bug: #1549443

    Conflicts:
     neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
     neutron/tests/functional/agent/l2/base.py
     neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py

    Change-Id: I95ddbe38d8ac8a927a860a98f54e41e17fb71d43
    (cherry picked from commit a8b6a597b6aab7cd3b0a5d0c3baad75af395fe1d)

tags:	added: in-stable-mitaka
~~~
Comment 4 Assaf Muller 2017-03-06 11:15:15 UTC 
Approved for hotfix for NEC.
Comment 5 Daniel Alvarez Sanchez 2017-03-06 11:27:28 UTC 
Package is built and doc flags updated.
Comment 7 ykawada 2017-03-08 07:56:18 UTC 
*** Bug 1428782 has been marked as a duplicate of this bug. ***
Comment 9 Eran Kuris 2017-03-21 09:37:03 UTC 
9   -p 2017-03-17.1
$ rpm -qa |grep openstack-neutron-8
openstack-neutron-8.3.0-5.el7ost.noarch


verified and fixed 

steps -
1. neutron net-create net-64-2 --port_security_enabled false
2. neutron subnet-create net-64-2 10.0.5.0/24 --name subnet_4 --enable_dhcp true
3. neutron router-create Router_eNet
4. neutron router-interface-add Router_eNet  dd073541-b444-4ab6-8187-346d7a8eb96a
5. neutron router-gateway-set Router_eNet 25df8c01-0632-4b49-ac8c-31d0155bfb0e
6. nova boot --flavor 3 --image cirros VM1 --nic net-id=551f3ab9-2292-4d43-b8bd-b7bd59951799
7. neutron port-show 104ab04f-3b1f-408e-bee0-10ba0d6dab35 |grep security
verify  port_security_enabled = False
8. connectivity check from qrouter to VM1 
ip net exec qrouter-5d10b101-4bc5-4261-aa3d-9c192e85ee06 ping 10.0.5.3
Comment 11 errata-xmlrpc 2017-03-30 19:35:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0856
Comment 12 Benjamin Schmaus 2017-04-03 12:56:17 UTC 
Clear INFO
Note You need to log in before you can comment on or make changes to this bug.