Incorrect iptables INPUT rules on l3-agent for metadata proxy

Bug #1399462 reported by Cedric Brandily
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Cedric Brandily

Bug Description

On the l3-agent, 2 iptables rules are defined to ensure the metadata proxy is reachable from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697(metadata proxy port)
    -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
* ACCEPT traffic to 127.0.0.1 on port 9697
    -A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

The 2nd rule is invalid as REDIRECT replaces destination ip by:
 * router ip (the one on the input interface)
 * 127.0.0.1 if the packet is a LOCAL packet (not metadata proxy case).

So ACCEPT rule filter is not matched ... the metadata proxy is only reachable because INPUT policy is ACCEPT.

Changed in neutron:
assignee: nobody → Cedric Brandily (cbrandily)
tags: added: sg-fw
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/141045

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/141045
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2d9d77747d2a16a1bf944e15bf5a7b6fc5e3fe08
Submitter: Jenkins
Branch: master

commit 2d9d77747d2a16a1bf944e15bf5a7b6fc5e3fe08
Author: Cedric Brandily <email address hidden>
Date: Thu Dec 11 13:10:30 2014 +0000

    Correct l3-agent iptables rule for metadata proxy

    2 iptables rules are defined to ensure the metadata proxy is reachable
    from vms on 169.254.169.254:80:
    * REDIRECT 169.254.169.254:80 packets to the router on port 9697
    * ACCEPT traffic to 127.0.0.1 on port 9697

    The REDIRECT rule replaces destination ip by:
     * 127.0.0.1 if the packet is local,
     * router ip (the one on the input interface, metadata proxy case).

    So ACCEPT rule filter is not matched ... the metadata proxy is only
    reachable because INPUT policy is ACCEPT.

    This change removes the destination constraint in the ACCEPT rule.

    Change-Id: Iea700bdd121bbc56a3489a63e2a5391867fad0d6
    Closes-Bug: #1399462

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → kilo-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: kilo-2 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.