"ebtables-nft" is failing to delete the rule filtering by MAC address:
Bridge chain: neutronMAC-test-veth024379, entries: 2, policy: DROP
-i test-veth024379 --among-src fa:16:3e:47:87:0 -j RETURN
-j DROP
A workaround for this issue, that works with both "ebtables-nft" and
"ebtables-legacy", is to flush the table and recreate the DROP rule.
The MAC spoofing tables have two rules: the one filtering by MAC address
and the default DROP rule. This workaround has the same effect as just
deleting the filtering rule.
Closes-Bug: #2038541
Change-Id: I38bd016c35d7a76d88c6eceec797d1cea84c45d1
"nftables" compatible binary, "ebtables-nft", is not 100% compatible
with the legacy API, as reported in LP#1922892.
This patch fixes the following issues when using "ebtables-nft" (while
keeping compatibility with legacy binary):
- When a new chain is created, a default DROP rule is added at the end
of the chain (append). This will prevent the error code 4 when the
chain is listed.
- The chain rules are added at the begining of the chain (insert),
before the default DROP rule. This will prioritize the port rules.
- The MAC rules are cleaned before the new ones are added. That will
prevent the deletion of any new needed rule, now added after the
deletion.
- The "ebtables" command will retry on error code 4. This is the
error returned when the chains are listed and no rule is present
in a new created chain (reporeted in LP#1922892).
This code is backwards compatible, that means it works with the legacy
"ebtables" binary; this is currently installed in the Neutron CI [1].
In order to test with the new binary, "ebtables-nft", two new CI jobs
are added to the periodic queue [2].
[1]1ad9ca56b0/roles/legacy_ebtables/tasks/main.yaml
[2]https://review.opendev.org/c/openstack/neutron/+/785144
Closes-Bug: #1922892
Related-Bug: #1508155
Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates the execution of "ebtables" command to
privsep.
Story: #2007686
Task: #41558
Change-Id: I05deec2f021e1b146fa3f6f7f9b37084df06d59d
When a port is removed, the linuxbridge agent cleans up the chains
neutronARP-* and neutronMAC-*, but in some cases this chains still
contains rules and ebtables fails with `CHAIN_USER_DEL failed (Device or
resource busy)`. Flushing the chains before deleting them, fixes that
issue.
Change-Id: Icfcf8c5406cfdc47fabf012e82ed56c345a73af8
Closes-Bug: #1887281
A new tenacity release [0] has been made which changes the behaviour
of the "wait_exponential" function [1], effectively halving the
multiplier. This leads to issues in the tests where the functionality
is being tested. To resolve the issue, just double the base multiplier.
This change can be used with the former and the new "wait_exponential"
code. If the older version of "tenacity" library is being used, the
waiting periods will be bigger but won't affect the behaviour. We can
avoid then enforcing the minimum version of this library. This is
desirable because this change was made in a minor release.
[0] https://review.opendev.org/677052
[1] aac4307a0a
Change-Id: Ib9055871623f642a74899de8eb536a05c5365f24
It was found that adding ebtables rules to the filter table
FORWARD chain could be vulnerable to a DoS attack. Moving
to the nat table PREROUTING chain should mitigate this as
it is consulted prior to allowing the frame in.
In order to make this work with upgrades, had to make the code
detect and remove any old rules that might still exist in
the filter table. That can be removed after a cycle.
Added some unit tests in addition to the existing functional
tests.
Change-Id: I87852b21db4404c58c83789cc267812030ac7d5f
Closes-bug: #1732294
Since Pike log messages should not be translated.
This patch removes calls to i18n _LC, _LI, _LE, _LW from
logging logic throughout the code. Translators definition
from neutron._i18n is removed as well.
This patch also removes log translation verification from
ignore directive in tox.ini.
Change-Id: If9aa76fcf121c0e61a7c08088006c5873faee56e
Change linuxbridge ARP protection code to always hold the
neutron ebtables lock while operating on rules. There
were a couple of places where we were reading the rules
without it.
Change-Id: Id7b38a3a662fb2e2736baa015492c36699319e58
Related-bug: #1697833
It seems after the merge of
https://bugs.launchpad.net/ubuntu/+source/ebtables/+bug/1645324
that ebtables can fail to acquire a lock and bail with an error
255. This adds some retry logic to retry it up to 10 times to
work around this issue.
Closes-Bug: #1697833
Change-Id: Ic9dcf4b236a93e8811413c6ce2c4b82602544c6d
neutron-lib 1.6.0 is out and among other things contains the rehomed
is_port_trusted function. This patch switches usage of that function
from neutron to neutron-lib.
NeutronLibImpact
Change-Id: I1c8a32d4806092daae99cd4860523c7d6335fc75
This flag will force ebtables to acquire a lock so we don't
have to worry about ebtables errors occuring if something else
on the system is trying to use ebtables as well.
Closes-Bug: #1316621
Change-Id: I695c01e015fdc201df8f23d9b48f9d3678240266
The current mac-spoofing code in iptables has two issues.
First, it occurs after the address discovery allow rules
(e.g. DHCP), so MAC addresses can be spoofed on discovery
protocols. Second, since it is based on iptables, it
doesn't apply to protocols like STP.
This means a VM could generate one of these types of packets
with a spoofed MAC address to trick switches into learning
that the spoofed MAC now belongs to the VM's port. The impact
of this depends on the configuration of the environment
(e.g. use of L2pop: see the bug report for details).
This patch adds MAC spoofing filtering to the ARP protection
code for Linux bridge based on ebtables. Only traffic sourced
from the MAC address on the port or in the allowed address
pair MACs will be allowed.
This filtering will not be enabled if the port has port
security disabled or if the device_owner starts with 'network:'.
Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
Partial-Bug: #1558658
- This does NOT break other projects that rely on neutron.i18n,
as this change includes a debtcollector shim to maintain those
older entry points, until they can migrate.
- Also updates _i18n.py to the latest pattern defined by oslo_i18n
- Guidance and template are from the reference:
http://docs.openstack.org/developer/oslo.i18n/usage.html
Partially-Closes-Bug: #1519493
Change-Id: I1aa3a5fd837d9156da4643a367013c869ed8bf9d
Went through all of the docstrings in Neutron and did
some cleanup. I'm sure there are bunch more that I have missed.
Change-Id: Ib29d2de1c580880c89ed4fd069e1515d0977a3e7
Ports that have a device_owner that starts with 'network:'
are trusted in several places throughout the codebase. Each
of these did a startswith check on each field and it's not
immediately obvious why it's done.
This patch adds a utility function called 'is_port_trusted'
that performs the same check and makes it obvious what is
being done.
Change-Id: I542c753776d5cfb2fd736b25ea6e111867c89c89
Skip adding ARP spoofing protection on Linux bridge ports
with a device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.
Change-Id: If53733fb3060e5ab44bac5388f42bdc384bcdb93
Closes-Bug: #1483315
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.
The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Closes-Bug: #1274034
Change-Id: I0b0e3b1272472385dff060897ecbd25e93fd78e7
Rodolfo Alonso Hernandez