iptables rules are not host-based when using podman
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Incomplete
|
High
|
Unassigned |
Bug Description
Rules seem to be local to the podman container:
[root@standalone ~]# podman exec -it -u root neutron_l3_agent bash -c 'iptables -nvL'
Chain INPUT (policy ACCEPT 31M packets, 5826M bytes)
pkts bytes target prot opt in out source destination
36M 16G neutron-
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4243 1315K neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
4243 1315K neutron-
Chain OUTPUT (policy ACCEPT 31M packets, 5777M bytes)
pkts bytes target prot opt in out source destination
35M 10G neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
35M 10G neutron-
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
35M 10G neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 neutron-
4231 1311K neutron-
0 0 neutron-
6 1968 neutron-
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap184cc16f-8a --physdev-
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap184cc16f-8a --physdev-
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap9246c149-7a --physdev-
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap9246c149-7a --physdev-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 neutron-
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0 192.168.200.33 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NIPv4ec69dbdb-
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0 192.168.200.28 udp spt:67 dpt:68
0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NIPv4ec69dbdb-
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
Chain neutron-
pkts bytes target prot opt in out source destination
25 8200 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
4206 1303K neutron-
3906 1281K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
300 21760 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
6 1968 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
0 0 neutron-
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
4206 1303K RETURN all -- * * 192.168.200.33 0.0.0.0/0 MAC FA:16:3E:31:6B:9B /* Allow traffic from defined IP/MAC pairs. */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 192.168.200.28 0.0.0.0/0 MAC FA:16:3E:DE:7C:E7 /* Allow traffic from defined IP/MAC pairs. */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 neutron-
4231 1311K neutron-
0 0 neutron-
6 1968 neutron-
4243 1315K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Default drop rule for unmatched traffic. */
We should see the above rules on the host as well, but we do not:
[root@standalone ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38M 27G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */
6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 001 accept all icmp ipv4 */
122K 7292K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW /* 002 accept all to lo interface ipv4 */
0 0 ACCEPT tcp -- * * 192.168.24.0/24 0.0.0.0/0 multiport dports 22 state NEW /* 003 accept ssh from controlplane ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 873,3306,
0 0 ACCEPT 112 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 106 neutron_l3 vrrp ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4369,5672,25672 state NEW /* 109 rabbitmq ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5000,13000,35357 state NEW /* 111 keystone ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 9292,13292 state NEW /* 112 glance_api ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8774,13774 state NEW /* 113 nova_api ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 2022 state NEW /* 113 nova_migration_
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 9696,13696 state NEW /* 114 neutron api ipv4 */
39 12792 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 67 state NEW /* 115 neutron dhcp input ipv4 */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4789 state NEW /* 118 neutron vxlan networks ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8776,13776 state NEW /* 119 cinder ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 3260 state NEW /* 120 iscsi initiator ipv4 */
0 0 ACCEPT tcp -- * * 192.168.24.0/24 0.0.0.0/0 multiport dports 11211 state NEW /* 121 memcached 192.168.24.2/24 ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,13808 state NEW /* 122 swift proxy ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 873,6000,6001,6002 state NEW /* 123 swift storage ipv4 */
0 0 ACCEPT udp -- * * 192.168.24.0/24 0.0.0.0/0 multiport dports 161 state NEW /* 124 snmp 192.168.24.2/24 ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 126 horizon ipv4 */
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 /* 136 neutron gre networks ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 6080,13080 state NEW /* 137 nova_vnc_proxy ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8778,13778 state NEW /* 138 nova_placement ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8775,13775 state NEW /* 139 nova_metadata ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8787,13787 state NEW /* 155 docker-registry ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 16514,61152:
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
5 260 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 999 drop all ipv4 */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4243 1315K CNI-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI firewall plugin rules */
4243 1315K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-
Chain OUTPUT (policy ACCEPT 37M packets, 13G bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 68 state NEW /* 116 neutron dhcp output ipv4 */
Chain CNI-FORWARD (1 references)
pkts bytes target prot opt in out source destination
4243 1315K CNI-ADMIN all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI firewall plugin rules */
Chain CNI-ADMIN (1 references)
pkts bytes target prot opt in out source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Changed in tripleo: | |
importance: | Undecided → High |
milestone: | none → stein-3 |
status: | New → Triaged |
Changed in tripleo: | |
milestone: | stein-3 → stein-rc1 |
Changed in tripleo: | |
milestone: | stein-rc1 → train-1 |
Changed in tripleo: | |
milestone: | train-1 → train-2 |
Changed in tripleo: | |
milestone: | train-2 → train-3 |
Changed in tripleo: | |
milestone: | train-3 → ussuri-1 |
Changed in tripleo: | |
milestone: | ussuri-1 → ussuri-2 |
Changed in tripleo: | |
milestone: | ussuri-2 → ussuri-3 |
Changed in tripleo: | |
milestone: | ussuri-3 → ussuri-rc3 |
Changed in tripleo: | |
status: | Triaged → Incomplete |
Changed in tripleo: | |
milestone: | ussuri-rc3 → victoria-1 |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
the podman containers where this was observed are rhel8/f28-based containers