*** This bug is a duplicate of bug 1793029 *** https://bugs.launchpad.net/bugs/1793029
** This bug has been marked a duplicate of bug 1793029 adding 0.0.0.0/0 address pair to a port bypasses all other vm security groups -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1867119 Title: [security] Add allowed-address-pair 0.0.0.0/0 to one port will open all others' protocol under same security group Status in neutron: In Progress Bug description: [security] Add allowed-address-pair 0.0.0.0/0 to one port will open all others' protocol under same security group When add allowed-address-pair 0.0.0.0/0 to one port, it will unexpectedly open all others' protocol under same security group. First found in stable/queens, but also confirmed in master branch. IPv6 has the same problem! Devstack test config: [DEFAULT] [l2pop] [ml2] type_drivers = flat,gre,vlan,vxlan tenant_network_types = vxlan extension_drivers = port_security,qos mechanism_drivers = openvswitch,l2population [ml2_type_vxlan] vni_ranges = 10000:19999 [securitygroup] firewall_driver = openvswitch [ovs] local_ip = 10.0.5.10 [agent] tunnel_types = vxlan l2_population = True arp_responder = True enable_distributed_routing = True extensions = qos Step to reproduce: 1. Assuming you have following VMs | 24231705-ee79-4643-ae5a-9f0f7ff8f8ba | dvr-ha-vm-2 | ACTIVE | dvr-ha=192.168.30.44, 172.16.12.220 | cirros | nano | | 4865d216-9f95-40bf-a6b4-221e3af06798 | dvr-ha-vm-1 | ACTIVE | dvr-ha=192.168.30.64, 172.16.13.52 | cirros | nano | $ nova interface-list 4865d216-9f95-40bf-a6b4-221e3af06798 +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+ | Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag | +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+ | ACTIVE | b333b1ca-bb9a-41fd-a878-b524ffbc6d7a | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.64 | fa:16:3e:12:66:05 | - | +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+ $ nova interface-list 24231705-ee79-4643-ae5a-9f0f7ff8f8ba +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+ | Port State | Port ID | Net ID | IP addresses | MAC Addr | Tag | +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+ | ACTIVE | 93197f48-3fe4-47f4-9d15-ba8728c00409 | a9e82560-f1ac-4909-9afa-686b57df62fa | 192.168.30.44 | fa:16:3e:14:ff:f1 | - | +------------+--------------------------------------+--------------------------------------+---------------+-------------------+-----+ 2. Security group rules $ openstack security group rule list 535018b5-7038-46f2-8f0e-2a6e193788aa --long|grep ingress | 01015261-0ca3-49ad-b033-bc2036a58e26 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | | 36441851-7bd2-4680-be43-2f8119b65040 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | | 8326f59e-cf26-4372-9913-30c71c036a2e | None | IPv6 | ::/0 | | ingress | 535018b5-7038-46f2-8f0e-2a6e193788aa | | e47c6731-a0f7-42aa-8125-a9810e7b5a17 | None | IPv4 | 0.0.0.0/0 | | ingress | 535018b5-7038-46f2-8f0e-2a6e193788aa | 3. Start a nc test server in dvr-ha-vm-2 # nc -l -p 8000 4. Try to curl that dvr-ha-vm-2 port 8000 in the outside world $ curl http://172.16.12.220:8000/index.html curl: (7) Failed connect to 172.16.12.220:8000; Connection timed out 5. Add allowed address pair 0.0.0.0/0 to dvr-ha-vm-1 openstack port set --allowed-address ip-address=0.0.0.0/0 b333b1ca-bb9a-41fd-a878-b524ffbc6d7a 6. Try to curl that dvr-ha-vm-2 port 8000 again It is connected!!! # nc -l -p 8000 GET /index.html HTTP/1.1 User-Agent: curl/7.29.0 Host: 172.16.12.220:8000 Accept: */* asdfasdf asdfasdf To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1867119/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp