Author: Brian Haley <bha...@redhat.com>
Date: Thu Feb 15 13:57:32 2018 -0500
Only allow SG port ranges for whitelisted protocols
Iptables only supports port-ranges for certain protocols,
others will generate failures, possibly leaving the agent
looping trying to apply rules. Change to not allow port
ranges outside of the list of known good protocols.
** Changed in: neutron
Status: In Progress => Fix Released
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
neutron doesn't correctly handle unknown protocols and should
whitelist known and handled protocols
Status in neutron:
We have had problems with openvswitch agent continuously restarting
and never actually completing setup because of this:
# Completed by iptables_manager
; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP,
UDP, UDPLITE, SCTP and DCCP
Error occurred at line: 83
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports
1:65535 -j RETURN
Someone has managed to inject a rule that is, effectively, a DoS.
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : email@example.com
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp