Reviewed: https://review.openstack.org/545091 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b564871bb759a38cf96527f94e7c7d4cc760b1c9 Submitter: Zuul Branch: master
commit b564871bb759a38cf96527f94e7c7d4cc760b1c9 Author: Brian Haley <bha...@redhat.com> Date: Thu Feb 15 13:57:32 2018 -0500 Only allow SG port ranges for whitelisted protocols Iptables only supports port-ranges for certain protocols, others will generate failures, possibly leaving the agent looping trying to apply rules. Change to not allow port ranges outside of the list of known good protocols. Change-Id: I5867f77fc5aedc169b42f50def0424ff209c164c Closes-bug: #1749667 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1749667 Title: neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols Status in neutron: Fix Released Bug description: We have had problems with openvswitch agent continuously restarting and never actually completing setup because of this: # Completed by iptables_manager ; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP Error occurred at line: 83 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN --- Someone has managed to inject a rule that is, effectively, a DoS. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1749667/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp