Container Undercloud - masquerading firewall rules are incorrect

Bug #1797455 reported by Harald Jensås on 2018-10-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Harald Jensås

Bug Description

Two issues:

a) The puppet-triple masquerading manifest[1] pass a list of IPNetworks (destinations) to the destination property of firewall return rules. The result of passing the list is that only the rule for the first address is created.

Actual result:
--------------
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED

Expected result:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED

b) The FORWARD table's destination rules suffer a similar issue, where we pass a list of IPNetworks to the destination rules.

Actual result:
--------------

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.64/26 state NEW,RELATED,ESTABLISHED

[1] https://github.com/openstack/puppet-tripleo/blob/master/manifests/masquerade_networks.pp

Fix proposed to branch: master
Review: https://review.openstack.org/609858

Changed in tripleo:
status: Triaged → In Progress
Harald Jensås (harald-jensas) wrote :

With patches:
 https://review.openstack.org/609858 and https://review.openstack.org/609845 the result is:

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
MASQUERADE all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
MASQUERADE all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
MASQUERADE all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.64/26 state NEW,RELATED,ESTABLISHED

Changed in tripleo:
milestone: stein-1 → stein-2

Reviewed: https://review.openstack.org/609858
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=bebe7b8c5892500db7cd30c2b4d259ae1f83cffc
Submitter: Zuul
Branch: master

commit bebe7b8c5892500db7cd30c2b4d259ae1f83cffc
Author: Harald Jensås <email address hidden>
Date: Thu Oct 11 22:35:44 2018 +0200

    Fix Undercloud masquerading firewall rules

    Iterate over destination for each source to have the
    correct return rules created. (Passing a list as
    destination to tripleo::firewall::rule does not work.)

    Also the "forward destinations" rules should use the
    source addresses in the data for both source and
    destination rules.

    Change-Id: I3d572bf4aab65f5befb596f7c90c94fc0abe7afa
    Closes-Bug: #1797455

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/615131
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2a3225afbf3da219fc4697e69bfb40530a52c252
Submitter: Zuul
Branch: stable/rocky

commit 2a3225afbf3da219fc4697e69bfb40530a52c252
Author: Harald Jensås <email address hidden>
Date: Thu Oct 11 22:35:44 2018 +0200

    Fix Undercloud masquerading firewall rules

    Iterate over destination for each source to have the
    correct return rules created. (Passing a list as
    destination to tripleo::firewall::rule does not work.)

    Also the "forward destinations" rules should use the
    source addresses in the data for both source and
    destination rules.

    Change-Id: I3d572bf4aab65f5befb596f7c90c94fc0abe7afa
    Closes-Bug: #1797455
    (cherry picked from commit bebe7b8c5892500db7cd30c2b4d259ae1f83cffc)

tags: added: in-stable-rocky

This issue was fixed in the openstack/puppet-tripleo 10.2.0 release.

This issue was fixed in the openstack/puppet-tripleo 9.4.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers