In order to allow DNS (TCP and UDP) request, the following rule was defined:
neutron firewall-rule-create --protocol any --destination-port 53 --action allow
On L3agent namespace this has been translated in the following iptables rules:
-A neutron-l3-agent-iv441c58eb2 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -j ACCEPT
=> there is no restriction on the protocol port, like we could expect it !!!
There is 2 solutions to handle this issue:
1) Doesn't allow a user to create a rule specifing protocol "any" AND a destination-port.
2) Generating the following rules (like some firewalls do):
-A neutron-l3-agent-iv441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
-A neutron-l3-agent-iv441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -p udp -m udp --dport 53 -j ACCEP
=> TCP and UDP have been completed.
The source code affected is located in neutron/services/firewall/drivers/linux/iptables_fwaas.py (L268)
def _port_arg(self, direction, protocol, port):
if not (protocol in ['udp', 'tcp'] and port):
return ''
return '--%s %s' % (direction, port)
=> trunk code is affected too.
Nota: This is not a real Neutron security vulnerability but it is a real security vulnerability for applications linving in the Openstack cloud... That's why I tagged it as "security vulnerability"
Icehouse 2014.1.2, FWaas using iptables driver
In order to allow DNS (TCP and UDP) request, the following rule was defined: rule-create --protocol any --destination-port 53 --action allow
neutron firewall-
On L3agent namespace this has been translated in the following iptables rules: l3-agent- iv441c58eb2 -j ACCEPT l3-agent- ov441c58eb2 -j ACCEPT
-A neutron-
-A neutron-
=> there is no restriction on the protocol port, like we could expect it !!!
There is 2 solutions to handle this issue:
1) Doesn't allow a user to create a rule specifing protocol "any" AND a destination-port.
2) Generating the following rules (like some firewalls do): l3-agent- iv441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT l3-agent- iv441c58eb2 -p udp -m udp --dport 53 -j ACCEPT l3-agent- ov441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT l3-agent- ov441c58eb2 -p udp -m udp --dport 53 -j ACCEP
-A neutron-
-A neutron-
-A neutron-
-A neutron-
=> TCP and UDP have been completed.
The source code affected is located in neutron/ services/ firewall/ drivers/ linux/iptables_ fwaas.py (L268)
def _port_arg(self, direction, protocol, port):
if not (protocol in ['udp', 'tcp'] and port):
return ''
return '--%s %s' % (direction, port)
=> trunk code is affected too.
Nota: This is not a real Neutron security vulnerability but it is a real security vulnerability for applications linving in the Openstack cloud... That's why I tagged it as "security vulnerability"
Regards,