[Yahoo-eng-team] [Bug 2020060] [NEW] Stateless Feature of Security Group Not Functioning in Case of other Port same compute use statefull

Phat Thu, 18 May 2023 02:23:16 -0700

Public bug reported:

>From my lab, I tried to apply the stateless securigty group for one port
"172.26.9.54" and use hping3 to generate tcp connections and monitor the
nf_conntrack number but nothing is effect. After debug in iptables
rules, I saw the following syntax error in iptables caused the "no-
track" policy to become ineffective:


This output from `iptables-save`:
## The port of the first server use same subnet (Public Subnet of provider) - 
IP address 172.26.9.97
Line 33: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 
-m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
Line 34: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment 
"Set zone for 76a0ad0-20" -j CT --zone 4099
Line 35: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap076a0ad0-20 
-m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099

## The port of the second server use same subnet (Public Subnet of provider) - 
IP Address 172.26.9.54
Line 52: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 
-m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
Line 53: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment 
"Make ec8b333-40 stateless" -j CT --notrack
Line 54: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tapdec8b333-40 
-m comment --comment "Make ec8b333-40 stateless" -j CT --notrack

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: firewall group security stateless

** Tags added: firewall group security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2020060

Title:
  Stateless Feature of Security Group Not Functioning in Case of other
  Port same compute use statefull

Status in neutron:
  New

Bug description:
  From my lab, I tried to apply the stateless securigty group for one
  port "172.26.9.54" and use hping3 to generate tcp connections and
  monitor the nf_conntrack number but nothing is effect. After debug in
  iptables rules, I saw the following syntax error in iptables caused
  the "no-track" policy to become ineffective:

  This output from `iptables-save`:
  ## The port of the first server use same subnet (Public Subnet of provider) - 
IP address 172.26.9.97
  Line 33: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in 
brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
  Line 34: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment 
--comment "Set zone for 76a0ad0-20" -j CT --zone 4099
  Line 35: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in 
tap076a0ad0-20 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099

  ## The port of the second server use same subnet (Public Subnet of provider) 
- IP Address 172.26.9.54
  Line 52: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in 
brq959cb64a-b4 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
  Line 53: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment 
--comment "Make ec8b333-40 stateless" -j CT --notrack
  Line 54: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in 
tapdec8b333-40 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2020060/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 2020060] [NEW] Stateless Feature of Security Group Not Functioning in Case of other Port same compute use statefull

Reply via email to