tripleo

iptables rules are not host-based when using podman

Bug #1812640 reported by Michele Baldessari
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Incomplete
High
Unassigned
tripleo victoria-3 "tripleo victoria"

Bug Description

Rules seem to be local to the podman container:
[root@standalone ~]# podman exec -it -u root neutron_l3_agent bash -c 'iptables -nvL'
Chain INPUT (policy ACCEPT 31M packets, 5826M bytes)
 pkts bytes target prot opt in out source destination
  36M 16G neutron-openvswi-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
 4243 1315K neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
 4243 1315K neutron-openvswi-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 31M packets, 5777M bytes)
 pkts bytes target prot opt in out source destination
  35M 10G neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
  35M 10G neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain neutron-filter-top (2 references)
 pkts bytes target prot opt in out source destination
  35M 10G neutron-openvswi-local all -- * * 0.0.0.0/0 0.0.0.0/0

Chain neutron-openvswi-FORWARD (1 references)
 pkts bytes target prot opt in out source destination
    0 0 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap9e2ddb70-91 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
 4231 1311K neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap9e2ddb70-91 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
    0 0 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tapd658be2d-e7 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
    6 1968 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapd658be2d-e7 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap184cc16f-8a --physdev-is-bridged /* Accept all packets when port is trusted. */
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap184cc16f-8a --physdev-is-bridged /* Accept all packets when port is trusted. */
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap9246c149-7a --physdev-is-bridged /* Accept all packets when port is trusted. */
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap9246c149-7a --physdev-is-bridged /* Accept all packets when port is trusted. */

Chain neutron-openvswi-INPUT (1 references)
 pkts bytes target prot opt in out source destination
    0 0 neutron-openvswi-o9e2ddb70-9 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap9e2ddb70-91 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
    0 0 neutron-openvswi-od658be2d-e all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapd658be2d-e7 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

Chain neutron-openvswi-OUTPUT (1 references)
 pkts bytes target prot opt in out source destination

Chain neutron-openvswi-i9e2ddb70-9 (1 references)
 pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
    0 0 RETURN udp -- * * 0.0.0.0/0 192.168.200.33 udp spt:67 dpt:68
    0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NIPv4ec69dbdb-2873-4450-a2b9- src
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-id658be2d-e (1 references)
 pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
    0 0 RETURN udp -- * * 0.0.0.0/0 192.168.200.28 udp spt:67 dpt:68
    0 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NIPv4ec69dbdb-2873-4450-a2b9- src
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-local (1 references)
 pkts bytes target prot opt in out source destination

Chain neutron-openvswi-o9e2ddb70-9 (2 references)
 pkts bytes target prot opt in out source destination
   25 8200 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
 4206 1303K neutron-openvswi-s9e2ddb70-9 all -- * * 0.0.0.0/0 0.0.0.0/0
 3906 1281K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
  300 21760 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-od658be2d-e (2 references)
 pkts bytes target prot opt in out source destination
    6 1968 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0 0 neutron-openvswi-sd658be2d-e all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-s9e2ddb70-9 (1 references)
 pkts bytes target prot opt in out source destination
 4206 1303K RETURN all -- * * 192.168.200.33 0.0.0.0/0 MAC FA:16:3E:31:6B:9B /* Allow traffic from defined IP/MAC pairs. */
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */

Chain neutron-openvswi-sd658be2d-e (1 references)
 pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * * 192.168.200.28 0.0.0.0/0 MAC FA:16:3E:DE:7C:E7 /* Allow traffic from defined IP/MAC pairs. */
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */

Chain neutron-openvswi-sg-chain (4 references)
 pkts bytes target prot opt in out source destination
    0 0 neutron-openvswi-i9e2ddb70-9 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap9e2ddb70-91 --physdev-is-bridged /* Jump to the VM specific chain. */
 4231 1311K neutron-openvswi-o9e2ddb70-9 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap9e2ddb70-91 --physdev-is-bridged /* Jump to the VM specific chain. */
    0 0 neutron-openvswi-id658be2d-e all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tapd658be2d-e7 --physdev-is-bridged /* Jump to the VM specific chain. */
    6 1968 neutron-openvswi-od658be2d-e all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapd658be2d-e7 --physdev-is-bridged /* Jump to the VM specific chain. */
 4243 1315K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain neutron-openvswi-sg-fallback (4 references)
 pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Default drop rule for unmatched traffic. */

We should see the above rules on the host as well, but we do not:
[root@standalone ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
  38M 27G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */
    6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 001 accept all icmp ipv4 */
 122K 7292K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW /* 002 accept all to lo interface ipv4 */
    0 0 ACCEPT tcp -- * * 192.168.24.0/24 0.0.0.0/0 multiport dports 22 state NEW /* 003 accept ssh from controlplane ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 873,3306,4444,4567,4568,9200 state NEW /* 104 mysql galera ipv4 */
    0 0 ACCEPT 112 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 106 neutron_l3 vrrp ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4369,5672,25672 state NEW /* 109 rabbitmq ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5000,13000,35357 state NEW /* 111 keystone ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 9292,13292 state NEW /* 112 glance_api ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8774,13774 state NEW /* 113 nova_api ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 2022 state NEW /* 113 nova_migration_target ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 9696,13696 state NEW /* 114 neutron api ipv4 */
   39 12792 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 67 state NEW /* 115 neutron dhcp input ipv4 */
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4789 state NEW /* 118 neutron vxlan networks ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8776,13776 state NEW /* 119 cinder ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 3260 state NEW /* 120 iscsi initiator ipv4 */
    0 0 ACCEPT tcp -- * * 192.168.24.0/24 0.0.0.0/0 multiport dports 11211 state NEW /* 121 memcached 192.168.24.2/24 ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,13808 state NEW /* 122 swift proxy ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 873,6000,6001,6002 state NEW /* 123 swift storage ipv4 */
    0 0 ACCEPT udp -- * * 192.168.24.0/24 0.0.0.0/0 multiport dports 161 state NEW /* 124 snmp 192.168.24.2/24 ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 126 horizon ipv4 */
    0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 /* 136 neutron gre networks ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 6080,13080 state NEW /* 137 nova_vnc_proxy ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8778,13778 state NEW /* 138 nova_placement ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8775,13775 state NEW /* 139 nova_metadata ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8787,13787 state NEW /* 155 docker-registry ipv4 */
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 16514,61152:61215,5900:6923 state NEW /* 200 nova_libvirt ipv4 */
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
    5 260 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
    0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 999 drop all ipv4 */

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
 4243 1315K CNI-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI firewall plugin rules */
 4243 1315K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 37M packets, 13G bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 68 state NEW /* 116 neutron dhcp output ipv4 */

Chain CNI-FORWARD (1 references)
 pkts bytes target prot opt in out source destination
 4243 1315K CNI-ADMIN all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI firewall plugin rules */

Chain CNI-ADMIN (1 references)
 pkts bytes target prot opt in out source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them

Revision history for this message
Michele Baldessari (michele) wrote :

the podman containers where this was observed are rhel8/f28-based containers

Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Undecided → High
milestone: none → stein-3
status: New → Triaged
Revision history for this message
Michele Baldessari (michele) wrote :

This is likely due to a mismatch between iptables inside the container f28 (1.6.x which uses the traditional iptables modules) vs the iptables on the rhel8 host which uses iptables based on the nftables backend.

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: stein-3 → stein-rc1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: stein-rc1 → train-1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-1 → train-2
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-2 → train-3
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-3 → ussuri-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: ussuri-1 → ussuri-2
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-2 → ussuri-3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-3 → ussuri-rc3
wes hayutin (weshayutin)
Changed in tripleo:
status: Triaged → Incomplete
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-rc3 → victoria-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: victoria-1 → victoria-3
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.