[openstack-dev] [Neutron] When VM do not have fixed_ip, Allowed address pair should not allow all the IPs by default

Liping Mao -X (limao - YI JIN XIN XI FU WU(SU ZHOU)YOU XIAN GONG SI at Cisco) limao at cisco.com
Wed Jul 23 02:54:46 UTC 2014 

Hi Salvatore and Kyle,


Thanks for your review the following bug:
https://review.openstack.org/#/c/97516/
https://launchpad.net/bugs/1325986


I think I did not make myself clear in the bug description.

And you have the following comments:
"
I have a question regarding the removal of the following rule
'-m mac --mac-source %s -j RETURN'
It was originally added to allow passing traffic to the specified additional MAC regardless. As a side effect however, it is also passing traffic for all the IPs, which is the bug you're trying to fix.
As you're removing the rule, would you agree that setting an allowed address pair with MAC only now does not make a lot of sense anymore? If you agree we should add this restriction to the API.
Otherwise we should build iptables rules for the specified MAC and all the IPs on that port known to neutron.
"


In my opinion, We have ip snooping feature to protect the VM to use IP which is not its fixed IP.

So If the VM have a fixed IP, the rules are something like following:
Chain neutron-openvswi-sdcd32e11-1 (1 references)
pkts bytes target     prot opt in     out     source               destination
 3026  382K RETURN     all  --  *      *       10.224.148.121       0.0.0.0/0           MAC FA:16:3E:4E:A9:3D
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

We will only allowed Source IP(10.224.148.121) and Source MAC(FA:16:3E:4E:A9:3D) to go out of VM in this case.
This means even I modify the IP(for example, I use 10.224.148.122) in the VM, It still can't work.


Then, If I remove the fixed ip of the VM, the port do not have any fixed ip, the rule will be :
Chain neutron-openvswi-sdcd32e11-1 (1 references)
pkts bytes target     prot opt in     out     source               destination
 3026  382K RETURN     all  --  *      *       0.0.0.0/0       0.0.0.0/0           MAC FA:16:3E:4E:A9:3D
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

This will allow all the MAC with FA:16:3E:4E:A9:3D  to go out of the VM.
In this case, if I add IP in the VM(for example, I use 10.224.148.121), the IP can work.

So I think in this case anti-ip-snooping does not work well. I think when we do not have fixed IP, the rule should be :
Chain neutron-openvswi-sdcd32e11-1 (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

with this rules, If I add ip in VM, the IP can't work.
So my patch is used to remove the rule "'-m mac --mac-source %s -j RETURN'" when port does not have fixed ip.


And in your comments, you said that "setting an allowed address pair with MAC only now does not make a lot of sense anymore"
I don't think so, because we still need this feature in many case. For example, If we need to use DSR(Direct Server Return) in the VM, we need to allow all the ips.



Thanks again for your review, and please let me know, if I have any misunstanding.  :)


Regards,
Liping Mao

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140723/2c47b841/attachment.html>

More information about the OpenStack-dev mailing list