Submitter: Zuul
Branch:    master

commit b564871bb759a38cf96527f94e7c7d4cc760b1c9
Author: Brian Haley <>
Date:   Thu Feb 15 13:57:32 2018 -0500

    Only allow SG port ranges for whitelisted protocols
    Iptables only supports port-ranges for certain protocols,
    others will generate failures, possibly leaving the agent
    looping trying to apply rules.  Change to not allow port
    ranges outside of the list of known good protocols.
    Change-Id: I5867f77fc5aedc169b42f50def0424ff209c164c
    Closes-bug: #1749667

** Changed in: neutron
       Status: In Progress => Fix Released

You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.

  neutron doesn't correctly handle unknown protocols and should
  whitelist known and handled protocols

Status in neutron:
  Fix Released

Bug description:
  We have had problems with openvswitch agent continuously restarting
  and never actually completing setup because of this:

  # Completed by iptables_manager
  ; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, 
  Error occurred at line: 83
  Try `iptables-restore -h' or 'iptables-restore --help' for more information.

      83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 
1:65535 -j RETURN

  Someone has managed to inject a rule that is, effectively, a DoS.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to