Container Undercloud - masquerading firewall rules are incorrect
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Harald Jensås |
Bug Description
Two issues:
a) The puppet-triple masquerading manifest[1] pass a list of IPNetworks (destinations) to the destination property of firewall return rules. The result of passing the list is that only the rule for the first address is created.
Actual result:
--------------
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,
Expected result:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,
RETURN all -- 172.20.0.0/26 172.20.0.64/26 state NEW,RELATED,
RETURN all -- 172.20.0.0/26 172.20.0.128/26 state NEW,RELATED,
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,
RETURN all -- 172.20.0.128/26 172.20.0.64/26 state NEW,RELATED,
RETURN all -- 172.20.0.128/26 172.20.0.128/26 state NEW,RELATED,
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,
RETURN all -- 172.20.0.64/26 172.20.0.64/26 state NEW,RELATED,
RETURN all -- 172.20.0.64/26 172.20.0.128/26 state NEW,RELATED,
b) The FORWARD table's destination rules suffer a similar issue, where we pass a list of IPNetworks to the destination rules.
Actual result:
--------------
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,
ACCEPT all -- anywhere 172.20.0.128/26 state NEW,RELATED,
ACCEPT all -- anywhere 172.20.0.64/26 state NEW,RELATED,
[1] https:/
Changed in tripleo: | |
milestone: | stein-1 → stein-2 |
Fix proposed to branch: master /review. openstack. org/609858
Review: https:/