iptables rule always be thrashed when update a little rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Undecided
|
Brian Haley |
Bug Description
When update meter label or rule, iptables_manager will update iptables rule in router's namespace. In order to, it will clean traffic counter number collected in interval time, the other iptables always trashing that will clean old iptalbes rule and generate new same significance iptables rule.
the example from update meter label:
Generated by iptables_manager
*filter
:neutron-
:neutron-
-I FORWARD 2 -j neutron-
-D FORWARD 4
-I INPUT 1 -j neutron-meter-INPUT
-D INPUT 3
-I OUTPUT 2 -j neutron-
-D OUTPUT 4
-I neutron-filter-top 1 -j neutron-meter-local
-D neutron-filter-top 3
-D neutron-
-I neutron-
-D neutron-
-I neutron-
-I neutron-
COMMIT
# Completed by iptables_manager
# Generated by iptables_manager
*raw
-I OUTPUT 1 -j neutron-
-D OUTPUT 3
-I PREROUTING 1 -j neutron-
-D PREROUTING 3
COMMIT
# Completed by iptables_manager
Changed in neutron: | |
assignee: | nobody → Zhengwei Gao (multi-task) |
status: | New → In Progress |
information type: | Private Security → Public Security |
Changed in neutron: | |
assignee: | Zhengwei Gao (multi-task) → Brian Haley (brian-haley) |
Changed in neutron: | |
milestone: | none → newton-rc1 |
tags: | added: sg-fw |
tags: | added: metering |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
I've add the OSSA task since it's reported as a Security bug, though it doesn't like a vulnerability but more of a bug with (some) security implications (class D according to VMT taxonomy).