Setting metadata_host to 127.0.0.1 results in incorrect iptables filter rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Chet Burgess |
Bug Description
The metadata_host option is used by nova-network to setup an iptables rules for handling requests from VMs to the metadata service hosted by nova-api.
In normal operation metadata_host defaults to the local IP of the node running nova-network. In this case (or any case where the IP is not 127.0.0.1) nova-network creates an iptables entry in the NAT table to DNAT requests for the metadata server (169.254.169.254) to the ip specified in metadata_host. Additionally when nova-api started up it creates an iptables entry in the filter table to allow requests from VMs to the metadata server.
nova-network nat entry:
-A nova-network-
nova-api filter entry:
-A nova-api-INPUT -d 10.1.1.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT
The problem is that if metadata_host is set to 127.0.0.1 nova-network will use the REDIRECT target instead of the DNAT target in its iptables rule. The resulting iptables rule looks like the following.
-A nova-network-
The issue is that REDIRECT results in an implicit DNAT the primary address of the incoming interface. As a result requests coming in from VMs will have a destination address of the gateway brought up by nova-network. The nova-api rules are not modified in this case and are only allowing requests destined to 127.0.0.1 and not the gateway IP addresses managed by nova-network.
We need to update the logic used to generate the rules for nova-api to account for the REDIRECT use case.
Changed in nova: | |
status: | New → In Progress |
Changed in nova: | |
importance: | Undecided → Medium |
Changed in nova: | |
milestone: | none → havana-3 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | havana-3 → 2013.2 |
Fix proposed to branch: master /review. openstack. org/37554
Review: https:/