tripleo

Container Undercloud - masquerading firewall rules are incorrect

Bug #1797455 reported by Harald Jensås
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Harald Jensås
tripleo stein-2

Bug Description

Two issues:

a) The puppet-triple masquerading manifest[1] pass a list of IPNetworks (destinations) to the destination property of firewall return rules. The result of passing the list is that only the rule for the first address is created.

Actual result:
--------------
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED

Expected result:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED

b) The FORWARD table's destination rules suffer a similar issue, where we pass a list of IPNetworks to the destination rules.

Actual result:
--------------

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.64/26 state NEW,RELATED,ESTABLISHED

[1] https://github.com/openstack/puppet-tripleo/blob/master/manifests/masquerade_networks.pp

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/609858

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
Harald Jensås (harald-jensas) wrote :

With patches:
 https://review.openstack.org/609858 and https://review.openstack.org/609845 the result is:

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.0/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.128/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
RETURN all -- 172.20.0.64/26 172.20.0.64/26 state NEW,RELATED,ESTABLISHED
MASQUERADE all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
MASQUERADE all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
MASQUERADE all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.0/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.128/26 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 172.20.0.64/26 state NEW,RELATED,ESTABLISHED

Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
milestone: stein-1 → stein-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/609858
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=bebe7b8c5892500db7cd30c2b4d259ae1f83cffc
Submitter: Zuul
Branch: master

commit bebe7b8c5892500db7cd30c2b4d259ae1f83cffc
Author: Harald Jensås <email address hidden>
Date: Thu Oct 11 22:35:44 2018 +0200

    Fix Undercloud masquerading firewall rules

    Iterate over destination for each source to have the
    correct return rules created. (Passing a list as
    destination to tripleo::firewall::rule does not work.)

    Also the "forward destinations" rules should use the
    source addresses in the data for both source and
    destination rules.

    Change-Id: I3d572bf4aab65f5befb596f7c90c94fc0abe7afa
    Closes-Bug: #1797455

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/615131

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/rocky)

Reviewed: https://review.openstack.org/615131
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2a3225afbf3da219fc4697e69bfb40530a52c252
Submitter: Zuul
Branch: stable/rocky

commit 2a3225afbf3da219fc4697e69bfb40530a52c252
Author: Harald Jensås <email address hidden>
Date: Thu Oct 11 22:35:44 2018 +0200

    Fix Undercloud masquerading firewall rules

    Iterate over destination for each source to have the
    correct return rules created. (Passing a list as
    destination to tripleo::firewall::rule does not work.)

    Also the "forward destinations" rules should use the
    source addresses in the data for both source and
    destination rules.

    Change-Id: I3d572bf4aab65f5befb596f7c90c94fc0abe7afa
    Closes-Bug: #1797455
    (cherry picked from commit bebe7b8c5892500db7cd30c2b4d259ae1f83cffc)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 10.2.0

This issue was fixed in the openstack/puppet-tripleo 10.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 9.4.0

This issue was fixed in the openstack/puppet-tripleo 9.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.