neutron

Incorrect iptables INPUT rules on l3-agent for metadata proxy

Bug #1399462 reported by Cedric Brandily on 2014-12-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Cedric Brandily	neutron 2015.1.0 "kilo"

Bug Description

On the l3-agent, 2 iptables rules are defined to ensure the metadata proxy is reachable from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697(metadata proxy port)
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
* ACCEPT traffic to 127.0.0.1 on port 9697
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

The 2nd rule is invalid as REDIRECT replaces destination ip by:
* router ip (the one on the input interface)
* 127.0.0.1 if the packet is a LOCAL packet (not metadata proxy case).

So ACCEPT rule filter is not matched ... the metadata proxy is only reachable because INPUT policy is ACCEPT.

Tags:

Cedric Brandily (cbrandily) on 2014-12-04

Changed in neutron:
assignee:	nobody → Cedric Brandily (cbrandily)

Eugene Nikanorov (enikanorov) on 2014-12-09

tags:	added: sg-fw
Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-11: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/141045

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-08: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/141045
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2d9d77747d2a16a1bf944e15bf5a7b6fc5e3fe08
Submitter: Jenkins
Branch: master

commit 2d9d77747d2a16a1bf944e15bf5a7b6fc5e3fe08
Author: Cedric Brandily <email address hidden>
Date: Thu Dec 11 13:10:30 2014 +0000

Correct l3-agent iptables rule for metadata proxy

    2 iptables rules are defined to ensure the metadata proxy is reachable
    from vms on 169.254.169.254:80:
    * REDIRECT 169.254.169.254:80 packets to the router on port 9697
    * ACCEPT traffic to 127.0.0.1 on port 9697

    The REDIRECT rule replaces destination ip by:
     * 127.0.0.1 if the packet is local,
     * router ip (the one on the input interface, metadata proxy case).

So ACCEPT rule filter is not matched ... the metadata proxy is only
reachable because INPUT policy is ACCEPT.

This change removes the destination constraint in the ACCEPT rule.

Change-Id: Iea700bdd121bbc56a3489a63e2a5391867fad0d6
Closes-Bug: #1399462

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-02-05

Changed in neutron:
milestone:	none → kilo-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in neutron:
milestone:	kilo-2 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.