[Openstack-security] [Bug 1488362] Re: Network ports are not down when network admin-state is made down
Jeremy Stanley
fungi at yuggoth.org
Tue Aug 25 17:55:40 UTC 2015
I've switched this to a regular public bug and marked the security
advisory task "won't fix" since this doesn't seem to represent an
exploitable security vulnerability on its own. It may indicate
incomplete Neutron documentation around caveats of "downing" a network,
and could also be seen as a security-related/hardening feature request.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1488362
Title:
Network ports are not down when network admin-state is made down
Status in neutron:
Opinion
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Neutron ports continue to be admin-state up and operational. It is
expected that when network admin-state is made down, the ports of it
should also be brought down and should not work.
$ neutron net-create net2
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 860bd682-74cc-4864-8b12-e756dfcd9475 |
| name | net2 |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1020 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
+---------------------------+--------------------------------------+
$ neutron subnet-create net2 192.168.2.0/24
Created a new subnet:
+-------------------+--------------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------------+
| allocation_pools | {"start": "192.168.2.2", "end": "192.168.2.254"} |
| cidr | 192.168.2.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 192.168.2.1 |
| host_routes | |
| id | f29a5119-ba5c-4092-8d00-71d53c668d89 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | |
| network_id | 860bd682-74cc-4864-8b12-e756dfcd9475 |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
+-------------------+--------------------------------------------------+
$ nova boot --image cirros-0.3.2-x86_64-uec --flavor 1 --nic net-id=860bd682-74cc-4864-8b12-e756dfcd9475 i3
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | instance-00000003 |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | UT2jcpsSSiQQ |
| config_drive | |
| created | 2015-08-25T07:01:44Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | 350c66d3-2817-408e-85d9-9cd1b4c47e39 |
| image | cirros-0.3.2-x86_64-uec (98a6a3ee-4008-4dac-a634-534bb457a5f7) |
| key_name | - |
| metadata | {} |
| name | i3 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
| updated | 2015-08-25T07:01:44Z |
| user_id | b4f34210995d44bba288e0559f68b18d |
+--------------------------------------+----------------------------------------------------------------+
$ neutron router-interface-add router1 f29a5119-ba5c-4092-8d00-71d53c668d89
Added interface ea75f789-628a-4341-94ae-0d55bc1d6244 to router router1.
$ neutron net-update net2 --admin-state-up False
Updated network: net2
juno at Juno:~$ neutron net-show net2
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | False |
| id | 860bd682-74cc-4864-8b12-e756dfcd9475 |
| name | net2 |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1020 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | f29a5119-ba5c-4092-8d00-71d53c668d89 |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
+---------------------------+--------------------------------------+
$ sudo ip netns exec qrouter-03931f82-98ef-43bb-a7e0-66875b9558bb ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.119 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.083 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.083/0.101/0.119/0.018 ms
$ sudo ip netns exec qrouter-03931f82-98ef-43bb-a7e0-66875b9558bb ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
64 bytes from 192.168.2.2: icmp_seq=4 ttl=64 time=4.41 ms
64 bytes from 192.168.2.2: icmp_seq=5 ttl=64 time=1.06 ms
64 bytes from 192.168.2.2: icmp_seq=6 ttl=64 time=1.11 ms
64 bytes from 192.168.2.2: icmp_seq=7 ttl=64 time=1.11 ms
^C
--- 192.168.2.2 ping statistics ---
7 packets transmitted, 4 received, 42% packet loss, time 6027ms
rtt min/avg/max/mdev = 1.062/1.925/4.412/1.436 ms
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1488362/+subscriptions
More information about the Openstack-security
mailing list