tripleo

tripleo-ansible - uses 'proto' field to decide if rule is created in iptables or ip6tables

Bug #1845170 reported by Harald Jensås
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Harald Jensås
tripleo ussuri-1

Bug Description

The 'firewall'[1] role in tripleo-ansible uses the 'proto' field in a condition to decide if rules should be created in iptables|ip6tables. This is incorrect.

When 'ipv4' or 'ipv6' is in the protocol field it is to tell the firewall to take action on ip-in-ip encapsulation. Allowing encapsulation of 'ipv6' inside 'ipv4' is a valid usecase[2][3], _and_ it is potentially used by tripleo[4].

Thus rules should be created in iptables when proto == 'ipv6' and vice versa.

TripleO should add support to set define if a rule is intended for iptables or ip6tables. See separate bug regarding this: https://bugs.launchpad.net/tripleo/+bug/1845153

[1] https://opendev.org/openstack/tripleo-ansible/src/branch/master/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml#L72
[2] https://en.wikipedia.org/wiki/6to4
[3] https://en.wikipedia.org/wiki/IP_in_IP
[4] https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/kubernetes/kubernetes-worker-baremetal-ansible.yaml#L62

See original description
Harald Jensås (harald-jensas)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/684277

Changed in tripleo:
assignee: nobody → Harald Jensås (harald-jensas)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/684277
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=68ec102343abff3c8936bd75f26484f7d058b1ca
Submitter: Zuul
Branch: master

commit 68ec102343abff3c8936bd75f26484f7d058b1ca
Author: Harald Jensås <email address hidden>
Date: Tue Sep 24 11:54:53 2019 +0200

    Support 'ipversion' property in rules

    The firewall role incorrectly used the 'proto' field in
    a rule as a conditional to decide if the rule should be
    created in iptables|ip6tables (or both). When proto was
    'ipv6' the rule was not created in iptables, and when
    proto was 'ipv4' the rule was not created in ip6tables.

    When the proto field have 'ipv4' or 'ipv6' it is to
    create rules for ip-in-ip encapsulation. Encapsulating
    ipv4 in ipv6 or vice-versa is a valid usecase.

    This change adds the 'ipversion' property for rules.

    Closes-Bug: #1845170
    Change-Id: I4b3463f27714721b2252640d8714da820da2eed6

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 0.4.0

This issue was fixed in the openstack/tripleo-ansible 0.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.