Too Strict Rule Checking in tripleo::firewall::rule
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tripleo |
Invalid
|
Medium
|
Unassigned | ||
Bug Description
This is about the firewall rule sanity checking in puppet-tripleo.
If we want accept any traffic from/to a specific host or subnet, we would not configure any port, which is totally normal. So I think the port requirement is kind of too strict for a firewall rule.
```
# This conditional will ensure that TCP and UDP firewall rules have
# a port specified in the configuration when using INPUT or OUTPUT chains.
# If not, the Puppet catalog will fail.
# If we don't do this sanity check, a user could create some TCP/UDP
# rules without port, and the result would be an iptables rule that allow any
# traffic on the host.
if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD') and ($table != 'nat')) {
fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
}
```
| summary: |
- Too Strict Firewall Rule Checking + Too Strict Firewall Rule Checking in tripleo::firewall::rule |
| summary: |
- Too Strict Firewall Rule Checking in tripleo::firewall::rule + Too Strict Rule Checking in tripleo::firewall::rule |
| Changed in tripleo: | |
| milestone: | none → victoria-3 |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Emilien Macchi (emilienm) wrote | #1 |
| Changed in tripleo: | |
| status: | Triaged → Invalid |
| Zhu Shengli (akarei) wrote | #2 |
To create a rule that allow traffic for any ports for a specific proto, please use "port: all" and do it for each proto (tcp, udp, icmp etc).
https:/