Incorrect iptables INPUT rules on l3-agent for metadata proxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Cedric Brandily |
Bug Description
On the l3-agent, 2 iptables rules are defined to ensure the metadata proxy is reachable from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697(metadata proxy port)
-A neutron-
* ACCEPT traffic to 127.0.0.1 on port 9697
-A neutron-
The 2nd rule is invalid as REDIRECT replaces destination ip by:
* router ip (the one on the input interface)
* 127.0.0.1 if the packet is a LOCAL packet (not metadata proxy case).
So ACCEPT rule filter is not matched ... the metadata proxy is only reachable because INPUT policy is ACCEPT.
Changed in neutron: | |
assignee: | nobody → Cedric Brandily (cbrandily) |
tags: | added: sg-fw |
Changed in neutron: | |
importance: | Undecided → Medium |
Changed in neutron: | |
milestone: | none → kilo-2 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | kilo-2 → 2015.1.0 |
Fix proposed to branch: master /review. openstack. org/141045
Review: https:/