Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1921274

Summary: fix MCS blocking iptables rules
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: NetworkingAssignee: Dan Winship <danw>
Networking sub component: ovn-kubernetes QA Contact: Ying Wang <yingwang>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: urgent CC: anbhat, bbennett, danw, ealcaniz, kholtz, kkulkarn, memodi, mmethot, rkhan
Version: 4.7   
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: An incorrect ovn-kubernetes security rule that was supposed to only block outbound connections also blocked some inbound connections. Consequence: In the general case, around 1 in 10,000 attempts to connect to a pod would fail spuriously. However, if a client intentionally used a restricted range of source ports, it could hit the buggy rule more frequently. Fix: The iptables rule was fixed to only block the intended connections. Result: No spurious failures.
 Story Points: ---
Clone Of:
: 1921283 (view as bug list) Environment:
Last Closed: 2021-02-17 19:25:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1915027, 1998453    
Bug Blocks: 1921283    

Comment 2 Kedar Kulkarni 2021-02-04 20:57:39 UTC 
Hi,
I was able to verify the BZ on OVN cluster using `curl` command to curl 172.30.0.1 as per the instructions. Here's the snippet of one of the curl calls:

===========================================================================================
for i in 22623 22624; do curl  --local-port $i https://172.30.0.1/ -k; done
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}
===========================================================================================



Nightly Build used:  4.6.0-0.nightly-2021-02-04-091446



For a cluster with SDN, I could not get the curl to work as it gave operation timed out. I also checked the iptable rules on the 4.6 SDN cluster vs 4.7 SDN cluster: 


4.6 Cluster: 
=============
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22623 -j REJECT --reject-with icmp-port-unreachable
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22624 -j REJECT --reject-with icmp-port-unreachable


4.7 Cluster:
=============
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22623 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22624 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable


Kindly let me know if the BZ is intended to fix the problem with SDN similar to 1915027(fixes both SDN/OVN). I am assuming the fix should have been on applied to both, hence moving it back to Assigned.

Thanks,
KK.
Comment 3 Dan Winship 2021-02-05 13:29:36 UTC 
(In reply to Kedar Kulkarni from comment #2)
> I was able to verify the BZ on OVN cluster using `curl` command to curl
> 172.30.0.1 as per the instructions.

> Kindly let me know if the BZ is intended to fix the problem with SDN similar
> to 1915027(fixes both SDN/OVN). I am assuming the fix should have been on
> applied to both, hence moving it back to Assigned.

No, we only did the backport for ovn-kubernetes, so this was the expected behavior. Sorry for not clarifying that.
Comment 6 errata-xmlrpc 2021-02-17 19:25:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0424
Comment 7 Mehul Modi 2021-09-23 18:58:19 UTC 
Added QE testcase: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-44939