Public bug reported:
I followed this document to create security group rule for requirement "Allow
ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
btw I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24
-p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24
-p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
pkts bytes target prot opt in out source destination
115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED /* Direct packets associated with a known
session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0
172.16.2.165 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:67 dpt:68
0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:8472
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4240
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp multiport dports 30000:32767
1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:10250
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4245
512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp multiport dports 30000:32767
0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:4789
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4244
2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID /* Drop packets that appear related to an existing
connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
- I followed this document to create security group rule for requirement "Allow
ingress Protocol IPIP or 4" and I used "ip" value
+ I followed this document to create security group rule for requirement "Allow
ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
And I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24
-p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24
-p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
- pkts bytes target prot opt in out source
destination
- 115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED /* Direct packets associated with a known
session to the RETURN chain. */
- 0 0 RETURN udp -- * * 0.0.0.0/0
172.16.2.165 udp spt:67 dpt:68
- 0 0 RETURN udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:67 dpt:68
- 0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
- 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:8472
- 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4240
- 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp multiport dports 30000:32767
- 1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:10250
- 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4245
- 512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp multiport dports 30000:32767
- 0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
- 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:4789
- 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4244
- 2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:179
- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID /* Drop packets that appear related to an existing
connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
- 14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0 /* Send unmatched traffic to the fallback chain.
*/
+ pkts bytes target prot opt in out source
destination
+ 115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED /* Direct packets associated with a known
session to the RETURN chain. */
+ 0 0 RETURN udp -- * * 0.0.0.0/0
172.16.2.165 udp spt:67 dpt:68
+ 0 0 RETURN udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:67 dpt:68
+ 0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
+ 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:8472
+ 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4240
+ 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp multiport dports 30000:32767
+ 1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:10250
+ 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4245
+ 512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp multiport dports 30000:32767
+ 0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
+ 0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:4789
+ 0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4244
+ 2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:179
+ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID /* Drop packets that appear related to an existing
connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
+ 14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0 /* Send unmatched traffic to the fallback chain.
*/
** Description changed:
I followed this document to create security group rule for requirement "Allow
ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
- And I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24
-p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24
-p ipip -j ACCEPT" and proto number was 94 not 4
+ btw I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24
-p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24
-p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
pkts bytes target prot opt in out source
destination
115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED /* Direct packets associated with a known
session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0
172.16.2.165 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:67 dpt:68
0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:8472
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4240
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp multiport dports 30000:32767
1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:10250
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4245
512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp multiport dports 30000:32767
0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:4789
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4244
2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID /* Drop packets that appear related to an existing
connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0 /* Send unmatched traffic to the fallback chain.
*/
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2054324
Title:
Iptables rule wrong if created a rule with protocol 4
Status in neutron:
New
Bug description:
I followed this document to create security group rule for requirement "Allow
ingress Protocol IPIP or 4" and I used "ipip" value
https://docs.openstack.org/api-ref/network/v2/index.html#create-security-group-rule
btw I expected my iptables rule on nova compute is "-A INPUT -s 172.16.2.0/24
-p 4 -j ACCEPT" but the runtime rule in kernel was "-A INPUT -s 172.16.2.0/24
-p ipip -j ACCEPT" and proto number was 94 not 4
// the rules output for one port
Chain neutron-linuxbri-idf95737e-7 (1 references)
pkts bytes target prot opt in out source
destination
115K 219M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED /* Direct packets associated with a known
session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0
172.16.2.165 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:67 dpt:68
0 0 RETURN 94 -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:8472
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4240
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp multiport dports 30000:32767
1 90 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:10250
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4245
512 30720 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp multiport dports 30000:32767
0 0 RETURN icmp -- * * 172.16.2.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 172.16.2.0/24 0.0.0.0/0
udp dpt:4789
0 0 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:4244
2 142 RETURN tcp -- * * 172.16.2.0/24 0.0.0.0/0
tcp dpt:179
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID /* Drop packets that appear related to an existing
connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
14 2122 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0 /* Send unmatched traffic to the fallback chain.
*/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2054324/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
