neutron

  1. Bug #1365961
  2. Comment #0

Comment 0 for bug 1365961

Revision history for this message
Bertrand Lallau (bertrand-lallau) wrote : Dangerous iptables rule generated in case of protocol "any" and destination-port usage

Icehouse 2014.1.2, FWaas using iptables driver

In order to allow DNS (TCP and UDP) request, the following rule was defined:
neutron firewall-rule-create --protocol any --destination-port 53 --action allow

On L3agent namespace this has been translated in the following iptables rules:
-A neutron-l3-agent-iv441c58eb2 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -j ACCEPT
=> there is no restriction on the protocol port, like we could expect it !!!

There is 2 solutions to handle this issue:

1) Doesn't allow a user to create a rule specifing protocol "any" AND a destination-port.

2) Generating the following rules (like some firewalls do):
-A neutron-l3-agent-iv441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
-A neutron-l3-agent-iv441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -p udp -m udp --dport 53 -j ACCEP
=> TCP and UDP have been completed.

The source code affected is located in neutron/services/firewall/drivers/linux/iptables_fwaas.py (L268)

    def _port_arg(self, direction, protocol, port):
        if not (protocol in ['udp', 'tcp'] and port):
            return ''
        return '--%s %s' % (direction, port)

=> trunk code is affected too.

Nota: This is not a real Neutron security vulnerability but it is a real security vulnerability for applications linving in the Openstack cloud... That's why I tagged it as "security vulnerability"

Regards,