neutron

Find many duplicate rules in memory by using iptables_manager

Bug #1447651 reported by changzhi
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Unassigned

Bug Description

I installed VPNaas In my devstack. I find many duplicate iptables rules in memory. The rule is ' 2015-04-23 10:55:15.380 ERROR neutron.agent.linux.iptables_manager [-] ###### rule is -A neutron-vpn-agen-POSTROUTING -s 192.168.10.0/24 -d 192.168.20.1/24 -m policy --dir out --pol ipsec -j ACCEPT ', and I add this log in 'agent/linux/iptables_manager.py ' after ' _modify_rules '. Why there are duplicate iptables rules? Does iptables_manager weed out duplicate rules?

Revision history for this message
changzhi (changzhi) wrote :

There is append a IptablesRule instance into"self.rules" when I add a iptables rule into memory in iptables_manager.py. If memory has already exists this rule? Does the iptables_manager weed out it? The code writes "for rule in rules" in _modify_rules function. Why does check the rules exists in memory first?

summary: - Find many duplicate rules in iptables_manager
+ Find many duplicate rules in memory by using iptables_manager
Revision history for this message
Jeremy Stanley (fungi) wrote :

You've reported this as a private security vulnerability, which implies that you believe it represents an exploitable condition in the software. Please clarify the way in which you would expect a malicious party to take advantage of this bug.

changzhi (changzhi)
information type: Private Security → Public
Eugene Nikanorov (enikanorov)
tags: added: vpnaas
Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

Please provide a part of iptables output showing duplicate rules

Changed in neutron:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
hujin (hujin)
Changed in neutron:
assignee: nobody → hujin (hujin)
Revision history for this message
hujin (hujin) wrote :

2018-08-27 10:07:32.989 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :neutron-vpn-agen-FORWARD
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :POSTROUTING ACCEPT [11:1184]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :OUTPUT ACCEPT [11:1184]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :FORWARD ACCEPT [0:0]
2018-08-27 10:07:32.990 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :INPUT ACCEPT [1675:120600]
2018-08-27 10:07:32.991 3258 INFO neutron.agent.linux.iptables_manager [-] --------------------_weed_out_removes rule: :PREROUTING ACCEPT [1676:120664]

def _weed_out_removes(line):
    # remove any rules or chains from the filter that were slated
    # for removal
    if line.startswith(':'):
        chain = line[1:]
        if chain in table.remove_chains:
            table.remove_chains.remove(chain)
            return False
        else:
            if line in table.remove_rules:
                table.remove_rules.remove(line)
                return False
    # Leave it alone
    return True

You can see that when you get the iptables rule name in the code “line[1:]”,
there is a count after the chain name, and the count value changes,
which invalidates the judgment

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/596634

Changed in neutron:
status: Expired → In Progress
Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: hujin (hujin) → nobody
status: In Progress → New
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.openstack.org/596634
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Mohammed Naser (mnaser) wrote :

This is no longer relevant and I do not see these warnings, closing because of age.

Changed in neutron:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.