Public bug reported:
In case if there is e.g. SG rule which allows SCTP traffic defined by user,
iptables firewall driver will match such traffic always, even if it's marked as
INVALID by conntrack.
It is like that due to order of rules in iptables:
Chain neutron-openvswi-i0133d93d-e (1 references)
pkts bytes target prot opt in out source destination
61 5493 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED /* Direct packets associated with a known
session to the RETURN chain. */
2 728 RETURN udp -- * * 0.0.0.0/0 10.0.0.55
udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:67 dpt:68
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
match-set NIPv408140248-6eff-4e0d-aadf- src
0 0 RETURN sctp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID /* Drop packets that appear related to an existing
connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
In case of openvswitch firewall driver it works properly, so INVALID packets
are dropped even if they could match some SG rules.
** Affects: neutron
Importance: Medium
Assignee: Slawek Kaplonski (slaweq)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1896587
Title:
iptables firewall driver don't drops invalid packets which match some
SG rule
Status in neutron:
New
Bug description:
In case if there is e.g. SG rule which allows SCTP traffic defined by user,
iptables firewall driver will match such traffic always, even if it's marked as
INVALID by conntrack.
It is like that due to order of rules in iptables:
Chain neutron-openvswi-i0133d93d-e (1 references)
pkts bytes target prot opt in out source
destination
61 5493 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED /* Direct packets associated with a known
session to the RETURN chain. */
2 728 RETURN udp -- * * 0.0.0.0/0 10.0.0.55
udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:67 dpt:68
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
match-set NIPv408140248-6eff-4e0d-aadf- src
0 0 RETURN sctp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID /* Drop packets that appear related to an existing
connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0 /* Send unmatched traffic to the fallback chain.
*/
In case of openvswitch firewall driver it works properly, so INVALID packets
are dropped even if they could match some SG rules.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1896587/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
