Skip to content

[BUG] pcn-firewall bug #339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lfjdhr123 opened this issue Sep 23, 2020 · 1 comment
Open

[BUG] pcn-firewall bug #339

lfjdhr123 opened this issue Sep 23, 2020 · 1 comment
Labels
bug Something isn't working
Milestone
v.0.11.0

Comments

@lfjdhr123
Copy link

pcn-firewall bug

The pcn-firewall did not behave as expected

To Reproduce

Steps to reproduce the behavior:

  1. create a firewall cube
  2. attach to my network interface
  3. set the cube's ingress and egress drop all by default

At this time, all traffic dropped, I could NOT ping and ssh to my machine as I expected. Then I add the following rules:

  1. polycubectl myFW chain ingress append dport=22 action=forward
  2. polycubectl myFW chain egress append sport=22 action=forward

My expectation is only to allow port 22 connection (which is ssh). However, after adding the above rules, I am able to ping the machine (ping 10.0.0.238) as well.

After I remove the above rules, all traffic is dropped again as expected.
Any idea of it? I’m not sure that is the behavior of the pcn-firewal or it is a bug. Please help me on that (edited)

Please tell us about your environment:

  1. OS details:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
  1. Kernel details: Linux fangjia 5.4.0-47-generic #51~18.04.1-Ubuntu SMP Sat Sep 5 14:35:50 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  2. Polycube Version: v0.9.0+
@lfjdhr123 lfjdhr123 added the bug Something isn't working label Sep 23, 2020
@FedeParola
Copy link
Collaborator

Hi @lfjdhr123, this is definitely a bug in the structure of the classification pipeline.

For ICMP packets when the L4Port module sees that the packet is not TCP/UDP it sends it to the next module without updating the bitvector (initially set to all 1s). Since there are not other matching fields the next module is the BitScan, that wrongly identifies the first rule (dport/sport == 22) as matching and applies the FORWARD action. Every time the L4Port module is inserted we should also insert the L4Proto module (this of course will reduce performance however).

@lfjdhr123 until a patch is submitted you can overcome the problem by also specifing the l4proto of packets:

polycubectl myFW chain ingress append l4proto=tcp dport=22 action=forward
polycubectl myFW chain egress append l4proto=tcp sport=22 action=forward

@lfjdhr123 lfjdhr123 changed the title [BUG] [BUG] pcn-firewall bug Sep 29, 2020
@acloudiator acloudiator added this to the v.0.11.0 milestone Oct 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v.0.11.0
Development

No branches or pull requests
3 participants
@lfjdhr123 @acloudiator @FedeParola