tripleo

Unmanaged iptables rules are kept after the deploy (v4 and v6)

Bug #1812695 reported by Cédric Jeanneret on 2019-01-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Cédric Jeanneret	tripleo stein-3

Bug Description

Hey folks,

We apparently have a "small" issue with iptables in tripleo:
there are rules that are apparently NOT managed by puppet, and they can cause some security issues.

For instance, on an undercloud deployed against latest master packages as of today, we can see the following rules being unmanaged:
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
    2 104 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Here, we can see SSH service is allowed world-wide, and a repetition of some other rules that are actually pushed by puppet-iptables.

Also, the last REJECT one prevent any logging to happen:
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 999 drop all ipv4 */

And we have the same behaviour with ipv6, of course:
    0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
    0 0 ACCEPT icmpv6 * * ::/0 ::/0
    0 0 ACCEPT all lo * ::/0 ::/0
    0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
    0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW
    0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited

That issue has the following impact:
- unmanage rules are present after the deploy
- as they are unmanaged, we can't drop them easily or, if needed, update them (puppet-firewall relies on the comment/resource name)
- the current situation prevent any LOG to happen, since we hit the REJECT rule before any logging.
- the current situation prevent the final DROP to happen, since the REJECT is hit before

Tags:

OpenStack Infra (hudson-openstack) on 2019-01-21

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-25: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/632117
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f25c27aa2c6eff327d612d163c1758b59618d6ed
Submitter: Zuul
Branch: master

commit f25c27aa2c6eff327d612d163c1758b59618d6ed
Author: Cédric Jeanneret <email address hidden>
Date: Mon Jan 21 15:05:47 2019 +0100

Ensure we get a clean firewall

The iptables-services package pushes a bunch of default rules, activated as soon
as we start the "iptables" systemd unit.

    This patch intends to remove those default rules, in order to ensure we get
    only managed firewall rules (either by puppet, or by any openstack service like
    neutron).

In order to prevent any issue, instead of erasing the file, we actually save the
current state prior the iptables-services installation and subsequent service startup.

    The iptables-services installation and activation is done at the "include ::firewall"
    step.
    Prior that, iptables is empty, meaning if we save, and pre-create the
    /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files before we include the
    "::firewall" class, we will get an empty, clean ruleset.

Please note, this won't correct already deployed infrastructure though - that will
probably requires an upgrade_tasks directly in tripleo-heat-templates.

    SecurityImpact
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1667887
    Partial-Bug: #1812695
    Change-Id: I74d15b8de216984ac42a0839430ae9afe2554d16

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2019-01-29:

Fix is OK for new deploy - still, update/upgrade doesn't take care of the cleanup. Will open a new issue about that once I have some more insight from network team.

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-01: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/634403

Bogdan Dobrelya (bogdando) on 2019-02-05

Changed in tripleo:
milestone:	none → stein-3
tags:	added: queens-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-05: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/634403
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=65041ed9d8618cf3762d6d1a811e98fe69cb1ce9
Submitter: Zuul
Branch: master

commit 65041ed9d8618cf3762d6d1a811e98fe69cb1ce9
Author: Cédric Jeanneret <email address hidden>
Date: Fri Feb 1 10:02:20 2019 +0100

Clean unmanaged rules pushed by iptables-services package

    As iptables-services injects default rules, we must ensure,
    upon upgrade, that none of those unmanaged rules are present
    in the firewall, nor in the iptables saved state.

We cannot remove them with puppet nor ansible due to the following
reasons:

    - puppetlabs-firewall, the puppet module used in TripleO, manages
      the firewall resources with comments - the comment value is the
      name of the puppet resource. As the default rules have no comment,
      puppet doesn't "see" them as managed resources, and can't affect
      them.

    - we can't simply "flush" all the rules and reapply them, because
      puppet does not manage all the rules - some are managed by neutron,
      for example.

    - ansible "iptables" module doesn't make a full match of the chain,
      and might drop the unwanted ones, keeping the unmanaged in place.
      Also, it doesn't take care of the saved state.

    SecurityImpact
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1667887
    Closes-Bug: #1812695
    Change-Id: I59733cb9a0323bbce4e20838a78103a70ec0d426