yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1399462] Re: Incorrect iptables INPUT rules on l3-agent for metadata proxy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 05 Feb 2015 14:42:18 -0000
Reply-to: Bug 1399462 <1399462@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

** Changed in: neutron
    Milestone: None => kilo-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1399462

Title:
  Incorrect iptables INPUT rules on l3-agent for metadata proxy

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  On the l3-agent, 2 iptables rules are defined  to ensure the metadata proxy is reachable from vms on 169.254.169.254:80:
  * REDIRECT 169.254.169.254:80 packets to the router on port 9697(metadata proxy port)
      -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
  * ACCEPT traffic to 127.0.0.1 on port 9697
      -A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

  The 2nd rule is invalid as REDIRECT replaces destination ip by:
   * router ip (the one on the input interface)
   * 127.0.0.1 if the packet is a LOCAL packet (not metadata proxy case).

  
  So ACCEPT rule filter is not matched ... the metadata proxy is only reachable because INPUT policy is ACCEPT.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1399462/+subscriptions

References

[Bug 1399462] [NEW] Incorrect iptables INPUT rules on l3-agent for metadata proxy
From: Cedric Brandily, 2014-12-04