Unmanaged iptables rules are kept after the deploy (v4 and v6)

Bug #1812695 reported by Cédric Jeanneret on 2019-01-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cédric Jeanneret

Bug Description

Hey folks,

We apparently have a "small" issue with iptables in tripleo:
there are rules that are apparently NOT managed by puppet, and they can cause some security issues.

For instance, on an undercloud deployed against latest master packages as of today, we can see the following rules being unmanaged:
    0 0 ACCEPT all -- * * state RELATED,ESTABLISHED
    0 0 ACCEPT icmp -- * *
    2 104 ACCEPT all -- lo *
    1 60 ACCEPT tcp -- * * state NEW tcp dpt:22
    0 0 REJECT all -- * * reject-with icmp-host-prohibited

Here, we can see SSH service is allowed world-wide, and a repetition of some other rules that are actually pushed by puppet-iptables.

Also, the last REJECT one prevent any logging to happen:
    0 0 LOG all -- * * state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4
    0 0 DROP all -- * * state NEW /* 999 drop all ipv4 */

And we have the same behaviour with ipv6, of course:
    0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
    0 0 ACCEPT icmpv6 * * ::/0 ::/0
    0 0 ACCEPT all lo * ::/0 ::/0
    0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
    0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW
    0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited

That issue has the following impact:
- unmanage rules are present after the deploy
- as they are unmanaged, we can't drop them easily or, if needed, update them (puppet-firewall relies on the comment/resource name)
- the current situation prevent any LOG to happen, since we hit the REJECT rule before any logging.
- the current situation prevent the final DROP to happen, since the REJECT is hit before

Changed in tripleo:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/632117
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f25c27aa2c6eff327d612d163c1758b59618d6ed
Submitter: Zuul
Branch: master

commit f25c27aa2c6eff327d612d163c1758b59618d6ed
Author: Cédric Jeanneret <email address hidden>
Date: Mon Jan 21 15:05:47 2019 +0100

    Ensure we get a clean firewall

    The iptables-services package pushes a bunch of default rules, activated as soon
    as we start the "iptables" systemd unit.

    This patch intends to remove those default rules, in order to ensure we get
    only managed firewall rules (either by puppet, or by any openstack service like

    In order to prevent any issue, instead of erasing the file, we actually save the
    current state prior the iptables-services installation and subsequent service startup.

    The iptables-services installation and activation is done at the "include ::firewall"
    Prior that, iptables is empty, meaning if we save, and pre-create the
    /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files before we include the
    "::firewall" class, we will get an empty, clean ruleset.

    Please note, this won't correct already deployed infrastructure though - that will
    probably requires an upgrade_tasks directly in tripleo-heat-templates.

    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1667887
    Partial-Bug: #1812695
    Change-Id: I74d15b8de216984ac42a0839430ae9afe2554d16

Cédric Jeanneret (cjeanner) wrote :

Fix is OK for new deploy - still, update/upgrade doesn't take care of the cleanup. Will open a new issue about that once I have some more insight from network team.

Changed in tripleo:
status: In Progress → Fix Released
Changed in tripleo:
milestone: none → stein-3
tags: added: queens-backport-potential

Reviewed: https://review.openstack.org/634403
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=65041ed9d8618cf3762d6d1a811e98fe69cb1ce9
Submitter: Zuul
Branch: master

commit 65041ed9d8618cf3762d6d1a811e98fe69cb1ce9
Author: Cédric Jeanneret <email address hidden>
Date: Fri Feb 1 10:02:20 2019 +0100

    Clean unmanaged rules pushed by iptables-services package

    As iptables-services injects default rules, we must ensure,
    upon upgrade, that none of those unmanaged rules are present
    in the firewall, nor in the iptables saved state.

    We cannot remove them with puppet nor ansible due to the following

    - puppetlabs-firewall, the puppet module used in TripleO, manages
      the firewall resources with comments - the comment value is the
      name of the puppet resource. As the default rules have no comment,
      puppet doesn't "see" them as managed resources, and can't affect

    - we can't simply "flush" all the rules and reapply them, because
      puppet does not manage all the rules - some are managed by neutron,
      for example.

    - ansible "iptables" module doesn't make a full match of the chain,
      and might drop the unwanted ones, keeping the unmanaged in place.
      Also, it doesn't take care of the saved state.

    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1667887
    Closes-Bug: #1812695
    Change-Id: I59733cb9a0323bbce4e20838a78103a70ec0d426

This issue was fixed in the openstack/tripleo-heat-templates 10.4.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.