← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #25148

[Bug 1399462] [NEW] Incorrect iptables INPUT rules on l3-agent for metadata proxy

  Thread PreviousDate PreviousThread Next 
Public bug reported:

On the l3-agent, 2 iptables rules are defined  to ensure the metadata proxy is reachable from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697(metadata proxy port)
    -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
* ACCEPT traffic to 127.0.0.1 on port 9697
    -A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

The 2nd rule is invalid as REDIRECT replaces destination ip by:
 * router ip (the one on the input interface)
 * 127.0.0.1 if the packet is a LOCAL packet (not metadata proxy case).


So ACCEPT rule filter is not matched ... the metadata proxy is only reachable because INPUT policy is ACCEPT.

** Affects: neutron
     Importance: Undecided
     Assignee: Cedric Brandily (cbrandily)
         Status: New


** Tags: l3-ipam-dhcp

** Changed in: neutron
     Assignee: (unassigned) => Cedric Brandily (cbrandily)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1399462

Title:
  Incorrect iptables INPUT rules on l3-agent for metadata proxy

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  On the l3-agent, 2 iptables rules are defined  to ensure the metadata proxy is reachable from vms on 169.254.169.254:80:
  * REDIRECT 169.254.169.254:80 packets to the router on port 9697(metadata proxy port)
      -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
  * ACCEPT traffic to 127.0.0.1 on port 9697
      -A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

  The 2nd rule is invalid as REDIRECT replaces destination ip by:
   * router ip (the one on the input interface)
   * 127.0.0.1 if the packet is a LOCAL packet (not metadata proxy case).

  
  So ACCEPT rule filter is not matched ... the metadata proxy is only reachable because INPUT policy is ACCEPT.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1399462/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next