Iptables can allow open access to instances in certain situations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Have been debugging some instance hacks on our cloud and we have tracked it down to nova setting some iptables to open access to all instances.
Environment:
We are using neutron and have reproduced this on Newton and Ocata, it looks like Mitaka is not affected
nova.conf options:
use_neutron=True
linuxnet_
firewall_driver = nova.virt.
neutron is using ML2/linuxbridge
Steps to reproduce:
# Clear out all iptables rules
iptables -F; iptables -X; iptables -t nat -F; iptables -t nat -X; iptables -t mangle -F; iptables -t mangle -X; iptables -t raw -F; iptables -t raw -X
# restart neutron linuxbridge
systemctl restart neutron-
# Wait a couple of seconds for rules to be added
sleep 5
# Restart nova-compute
systemctl restart nova-compute
If you look in iptables you will see in the FORWARD chain:
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-
The nova-compute-
-A nova-compute-
-A nova-compute-
-A nova-compute-
It seems that once neutron agent does something on this host, eg. a new instance gets booted/deleted etc. then the rules change to:
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-
So we don't see this much, just on quiet compute nodes it would seem.
I feel like nova shouldn't be doing any iptables stuff so I'm scared I've got some config wrong but I haven't found anything so far and it looks the same as our Mitaka hosts which don't see this issue.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.