yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1618879] Re: iptables rule always be thrashed when update a little rule

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Thu, 01 Sep 2016 02:13:11 -0000
Reply-to: Bug 1618879 <1618879@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

I've add the OSSA task since it's reported as a Security bug, though it
doesn't like a vulnerability but more of a bug with (some) security
implications (class D according to VMT taxonomy).

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1618879

Title:
  iptables rule always be thrashed when update a little rule

Status in neutron:
  In Progress
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  When update meter label or rule, iptables_manager will update iptables
  rule in router's namespace. In order to, it will clean traffic counter
  number collected in interval time, the other iptables always trashing
  that will clean old iptalbes rule and generate new same significance
  iptables rule.

  the example from update meter label:
   
  Generated by iptables_manager
  *filter
  :neutron-meter-neutron-met - [0:0]
  :neutron-meter-r-00599199-632 - [0:0]
  -I FORWARD 2 -j neutron-meter-FORWARD
  -D FORWARD 4
  -I INPUT 1 -j neutron-meter-INPUT
  -D INPUT 3
  -I OUTPUT 2 -j neutron-meter-OUTPUT
  -D OUTPUT 4
  -I neutron-filter-top 1 -j neutron-meter-local
  -D neutron-filter-top 3
  -D neutron-meter-l-00e4e019-099 1
  -I neutron-meter-l-00e4e019-099 1
  -D neutron-meter-l-01e4e019-099 1
  -I neutron-meter-l-01e4e019-099 1
  -I neutron-meter-r-00599199-632 1 -i qg-f0732f6f-8e -d 192.168.10.0/24 -j neutron-meter-l-00599199-632
  COMMIT
  # Completed by iptables_manager
  # Generated by iptables_manager
  *raw
  -I OUTPUT 1 -j neutron-meter-OUTPUT
  -D OUTPUT 3
  -I PREROUTING 1 -j neutron-meter-PREROUTING
  -D PREROUTING 3
  COMMIT
  # Completed by iptables_manager

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1618879/+subscriptions