Setting metadata_host to 127.0.0.1 results in incorrect iptables filter rules

Bug #1202356 reported by Chet Burgess on 2013-07-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Chet Burgess

Bug Description

The metadata_host option is used by nova-network to setup an iptables rules for handling requests from VMs to the metadata service hosted by nova-api.

In normal operation metadata_host defaults to the local IP of the node running nova-network. In this case (or any case where the IP is not 127.0.0.1) nova-network creates an iptables entry in the NAT table to DNAT requests for the metadata server (169.254.169.254) to the ip specified in metadata_host. Additionally when nova-api started up it creates an iptables entry in the filter table to allow requests from VMs to the metadata server.

nova-network nat entry:
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.1:8775

nova-api filter entry:
-A nova-api-INPUT -d 10.1.1.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT

The problem is that if metadata_host is set to 127.0.0.1 nova-network will use the REDIRECT target instead of the DNAT target in its iptables rule. The resulting iptables rule looks like the following.

-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775

The issue is that REDIRECT results in an implicit DNAT the primary address of the incoming interface. As a result requests coming in from VMs will have a destination address of the gateway brought up by nova-network. The nova-api rules are not modified in this case and are only allowing requests destined to 127.0.0.1 and not the gateway IP addresses managed by nova-network.

We need to update the logic used to generate the rules for nova-api to account for the REDIRECT use case.

Chet Burgess (cfb-n) on 2013-07-17
Changed in nova:
status: New → In Progress
Sean Dague (sdague) on 2013-07-19
Changed in nova:
importance: Undecided → Medium

Reviewed: https://review.openstack.org/37554
Committed: http://github.com/openstack/nova/commit/15543f7e18287748d9388269af532e2c92732d22
Submitter: Jenkins
Branch: master

commit 15543f7e18287748d9388269af532e2c92732d22
Author: Chet Burgess <email address hidden>
Date: Wed Jul 10 15:37:59 2013 +0000

    Fix iptables rules when metadata_host=127.0.0.1

    When metadata_host is set to 127.0.0.1 metdata_forward will use the
    REDIRECT target instead of the DNAT target in iptables rules. The
    REDIRECT target results in an implicit DNAT to the primary address
    of the incoming interface. As a result requests coming in from VMs
    will have a destination address of the gateway brought up by
    nova-network.

    metadate_accept will now allow traffic destinatined for any local
    address on the metadata_port when metadata_host is set to
    127.0.0.1.

    Change-Id: I877befe6f7c1020d2160194b6f6cab8297cb086c
    Fixes: bug #1202356

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-09-05
Changed in nova:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in nova:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers