Too Strict Rule Checking in tripleo::firewall::rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Invalid
|
Medium
|
Unassigned |
Bug Description
This is about the firewall rule sanity checking in puppet-tripleo.
If we want accept any traffic from/to a specific host or subnet, we would not configure any port, which is totally normal. So I think the port requirement is kind of too strict for a firewall rule.
```
# This conditional will ensure that TCP and UDP firewall rules have
# a port specified in the configuration when using INPUT or OUTPUT chains.
# If not, the Puppet catalog will fail.
# If we don't do this sanity check, a user could create some TCP/UDP
# rules without port, and the result would be an iptables rule that allow any
# traffic on the host.
if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD') and ($table != 'nat')) {
fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
}
```
summary: |
- Too Strict Firewall Rule Checking + Too Strict Firewall Rule Checking in tripleo::firewall::rule |
summary: |
- Too Strict Firewall Rule Checking in tripleo::firewall::rule + Too Strict Rule Checking in tripleo::firewall::rule |
Changed in tripleo: | |
milestone: | none → victoria-3 |
status: | New → Triaged |
importance: | Undecided → Medium |
To create a rule that allow traffic for any ports for a specific proto, please use "port: all" and do it for each proto (tcp, udp, icmp etc).
https:/ /opendev. org/openstack/ puppet- tripleo/ src/commit/ 2677d9e20a22003 2f5dcef816a8da9 6d08779437/ manifests/ firewall/ rule.pp# L109-L115