Find many duplicate rules in memory by using iptables_manager

Bug #1447651 reported by changzhi on 2015-04-23
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Undecided
hujin

Bug Description

I installed VPNaas In my devstack. I find many duplicate iptables rules in memory. The rule is ' 2015-04-23 10:55:15.380 ERROR neutron.agent.linux.iptables_manager [-] ###### rule is -A neutron-vpn-agen-POSTROUTING -s 192.168.10.0/24 -d 192.168.20.1/24 -m policy --dir out --pol ipsec -j ACCEPT ', and I add this log in 'agent/linux/iptables_manager.py ' after ' _modify_rules '. Why there are duplicate iptables rules? Does iptables_manager weed out duplicate rules?

changzhi (changzhi) wrote :

There is append a IptablesRule instance into"self.rules" when I add a iptables rule into memory in iptables_manager.py. If memory has already exists this rule? Does the iptables_manager weed out it? The code writes "for rule in rules" in _modify_rules function. Why does check the rules exists in memory first?

summary: - Find many duplicate rules in iptables_manager
+ Find many duplicate rules in memory by using iptables_manager
Jeremy Stanley (fungi) wrote :

You've reported this as a private security vulnerability, which implies that you believe it represents an exploitable condition in the software. Please clarify the way in which you would expect a malicious party to take advantage of this bug.

changzhi (changzhi) on 2015-04-23
information type: Private Security → Public
tags: added: vpnaas
Eugene Nikanorov (enikanorov) wrote :

Please provide a part of iptables output showing duplicate rules

Changed in neutron:
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
hujin (hujin) on 2018-08-27
Changed in neutron:
assignee: nobody → hujin (hujin)
hujin (hujin) wrote :

2018-08-27 10:07:32.989 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :neutron-vpn-agen-FORWARD
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :POSTROUTING ACCEPT [11:1184]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :OUTPUT ACCEPT [11:1184]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :FORWARD ACCEPT [0:0]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :INPUT ACCEPT [1675:120600]
2018-08-27 10:07:32.991 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :PREROUTING ACCEPT [1676:120664]

def _weed_out_removes(line):
    # remove any rules or chains from the filter that were slated
    # for removal
    if line.startswith(':'):
        chain = line[1:]
        if chain in table.remove_chains:
            table.remove_chains.remove(chain)
            return False
        else:
            if line in table.remove_rules:
                table.remove_rules.remove(line)
                return False
    # Leave it alone
    return True

You can see that when you get the iptables rule name in the code “line[1:]”,
there is a count after the chain name, and the count value changes,
which invalidates the judgment

Fix proposed to branch: master
Review: https://review.openstack.org/596634

Changed in neutron:
status: Expired → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers