polycube icon indicating copy to clipboard operation
polycube copied to clipboard
verified publisher icon polycube-network

[BUG] pcn-firewall bug

Open lfjdhr123 opened this issue 5 years ago • 1 comments

pcn-firewall bug

The pcn-firewall did not behave as expected

To Reproduce

Steps to reproduce the behavior:

  1. create a firewall cube
  2. attach to my network interface
  3. set the cube's ingress and egress drop all by default

At this time, all traffic dropped, I could NOT ping and ssh to my machine as I expected. Then I add the following rules:

  1. polycubectl myFW chain ingress append dport=22 action=forward
  2. polycubectl myFW chain egress append sport=22 action=forward

My expectation is only to allow port 22 connection (which is ssh). However, after adding the above rules, I am able to ping the machine (ping 10.0.0.238) as well.

After I remove the above rules, all traffic is dropped again as expected. Any idea of it? I’m not sure that is the behavior of the pcn-firewal or it is a bug. Please help me on that (edited)

Please tell us about your environment:

  1. OS details:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
  1. Kernel details: Linux fangjia 5.4.0-47-generic #51~18.04.1-Ubuntu SMP Sat Sep 5 14:35:50 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  2. Polycube Version: v0.9.0+

lfjdhr123 avatar Sep 23 '20 16:09 lfjdhr123

Hi @lfjdhr123, this is definitely a bug in the structure of the classification pipeline.

For ICMP packets when the L4Port module sees that the packet is not TCP/UDP it sends it to the next module without updating the bitvector (initially set to all 1s). Since there are not other matching fields the next module is the BitScan, that wrongly identifies the first rule (dport/sport == 22) as matching and applies the FORWARD action. Every time the L4Port module is inserted we should also insert the L4Proto module (this of course will reduce performance however).

@lfjdhr123 until a patch is submitted you can overcome the problem by also specifing the l4proto of packets:

polycubectl myFW chain ingress append l4proto=tcp dport=22 action=forward
polycubectl myFW chain egress append l4proto=tcp sport=22 action=forward

FedeParola avatar Sep 25 '20 08:09 FedeParola