Remote security groups grant access to any IP listed in allowed-address-pairs on port in Red Hat OpenStack Platform

Solution In Progress - Updated -

Issue

Remote security groups grant access to any IP listed in allowed-address-pairs on port in Red Hat OpenStack Platform

Diagram

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



                                                   compute-1                        compute-0

                                    XXX
                         XXXXXXXXXXXX XXXX                                   172.16.0.13/24+-----------+
+---------------+        X  XX           X        +---------------+               +---------------+       |
|               |        XXXX Network   XX        |               |               |               |       |
|  JUMPSERVER   +----------+X   XX      X+--------+    ROUTER     +---------------+     VM        |       |
+---------------+          LXXXX  X XXXXX         +---------------+               +---------------+       |
                                  XX                                                                      |
   192.168.0.203/24                      10.0.0.11/24     172.16.0.12/24                            |                                                                         
                                                    +              +                                      |
                                                    +              +                                      +   
                                                  security group: default           security group: allow any




+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Setup

  • ROUTER is a router for VM
  • ROUTER port 10.0.0.11/24, 172.16.0.12/24 both use allowed-address-pairs to allow routing from/to 192.168.0.0/24 from/to 172.16.0.0/24
  • ROUTER port 10.0.0.11/24, 172.16.0.12/24 both use the default security group
  • VM uses allow-any security group
  • default security group is configured to allow tcp/any from remote default
+--------------------------------------+----------------+-----------+-----------+---------------+------------------------+
| id                                   | security_group | direction | ethertype | protocol/port | remote                 |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------------+
| 9be0a25e-32c0-4926-a63c-zzyyxxwwvvuu | default        | ingress   | IPv4      | 1-65535/tcp   | default (group)        |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------------+

Observation

  • 192.168.0.203/24 can access TCP/22 on 172.16.0.13/24 (and on 10.0.0.11/24)
  • this does only happen when the remote security group feature is used, the current workaround is to use normal security groups, without the remote security group feature

Environment

Red Hat OpenStack Platform 8
Red Hat OpenStack Platform 9
Red Hat OpenStack Platform 10

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In