Uploaded image for project: 'netvirt'
  1. netvirt
  2. NETVIRT-125

Security Groups (all implementations) - port_security extension and default DHCP/ICMP drop rules

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Resolution: Done
    • Boron
    • None
    • General
    • None

    • Operating System: All
      Platform: All

    • 6668

    Description

      These rules are configured when using transparent security groups - they are inherited from the generic SG implementation, and are automatically configured for all implementations.
      The part that is bothering us are the drop flows - why would any drop flows be configured, when the default OpenStack behavior is drop for everything?
      It would make sense to only explicitly allow certain traffic (such as DHCP requests in ingress and DHCP responses in egress).

      In addition, when extension_drivers = port_security is NOT configured in the neutron ml2_conf.ini, this causes DHCP to NOT WORK.
      This is because it is assumed that the qdhcp ports will always have port_security disabled by default. The problem is that this requires the port_security extension driver to actually be configured.
      We need to handle the case where it is not configured, and also consider getting rid of default drop rules - the point of transparent SG was that users that don't care about security don't have to deal with it.

      cookie=0x6900000, duration=1376.923s, table=40, n_packets=0, n_bytes=0, priority=63010,udp,metadata=0x20000000000/0x1fffff0000000000,tp_src=68,tp_dst=67 actions=resubmit(,17)
      cookie=0x6900000, duration=1376.921s, table=40, n_packets=0, n_bytes=0, priority=63010,udp6,metadata=0x20000000000/0x1fffff0000000000,tp_src=546,tp_dst=547 actions=resubmit(,17)
      cookie=0x6900000, duration=1376.920s, table=40, n_packets=3, n_bytes=1122, priority=63010,udp,metadata=0x20000000000/0x1fffff0000000000,tp_src=67,tp_dst=68 actions=drop
      cookie=0x6900000, duration=1376.919s, table=40, n_packets=0, n_bytes=0, priority=63010,udp6,metadata=0x20000000000/0x1fffff0000000000,tp_src=547,tp_dst=546 actions=drop
      cookie=0x6900000, duration=1376.917s, table=40, n_packets=0, n_bytes=0, priority=63020,icmp6,metadata=0x20000000000/0x1fffff0000000000,icmp_type=134,icmp_code=0 actions=drop
      cookie=0x6900000, duration=1376.917s, table=40, n_packets=0, n_bytes=0, priority=63010,icmp6,metadata=0x20000000000/0x1fffff0000000000 actions=resubmit(,17)
      cookie=0x6900000, duration=1376.915s, table=40, n_packets=10, n_bytes=420, priority=63010,arp,metadata=0x20000000000/0x1fffff0000000000,arp_sha=fa:16:3e:94:72:e8 actions=resubmit(,17)
      cookie=0x6900000, duration=1568.523s, table=40, n_packets=0, n_bytes=0, priority=0 actions=goto_table:41
      cookie=0x6900000, duration=1568.524s, table=41, n_packets=3, n_bytes=804, priority=0 actions=resubmit(,17)

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            Unassigned Unassigned
            alonko@hpe.com Alon Kochba
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: