yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1365961] Re: Dangerous iptables rule generated in case of protocol "any" and source-port/destination-port usage

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Gandelman <1365961@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Sep 2014 19:50:51 -0000
Reply-to: Bug 1365961 <1365961@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: neutron/icehouse
   Importance: Undecided
       Status: New

** Changed in: neutron/icehouse
   Importance: Undecided => High

** Changed in: neutron/icehouse
       Status: New => Fix Committed

** Changed in: neutron/icehouse
    Milestone: None => 2014.1.3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1365961

Title:
  Dangerous iptables rule generated in case of protocol "any" and
  source-port/destination-port usage

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in neutron icehouse series:
  Fix Committed
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Icehouse 2014.1.2, FWaas using iptables driver

  In order to allow DNS (TCP and UDP) request, the following rule was defined:
  neutron firewall-rule-create --protocol any --destination-port 53 --action allow

  On L3agent namespace this has been translated in the following iptables rules:
  -A neutron-l3-agent-iv441c58eb2 -j ACCEPT
  -A neutron-l3-agent-ov441c58eb2 -j ACCEPT
  => there is no restriction on the destination port(53), like we could expect it !!!

  There is 2 solutions to handle this issue:

  1) Doesn't allow user to create a rule specifing protocol "any" AND a
  source-port/destination-port.

  2) Generating the following rules (like some firewalls do):
  -A neutron-l3-agent-iv441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
  -A neutron-l3-agent-iv441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
  -A neutron-l3-agent-ov441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
  -A neutron-l3-agent-ov441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
  => TCP and UDP have been completed.

  The source code affected is located in
  neutron/services/firewall/drivers/linux/iptables_fwaas.py  (L268)

      def _port_arg(self, direction, protocol, port):
          if not (protocol in ['udp', 'tcp'] and port):
              return ''
          return '--%s %s' % (direction, port)

  => trunk code is affected too.

  Nota: This is not a real Neutron security vulnerability but it is a
  real security vulnerability for applications living in the Openstack
  cloud... That's why I tagged it as "security vulnerability"

  Regards,

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1365961/+subscriptions