[openstack-dev] [OSSN 0029] Neutron FWaaS rules lack port restrictions when using protocol 'any'
Nathan Kinder
nkinder at redhat.com
Mon Sep 29 19:39:56 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
An update for this Security Note has been published to clarify that
Neutron's FWaaS extension is still experimental. The updated version
of OSSN-0029 is available here:
https://wiki.openstack.org/wiki/OSSN/OSSN-0029
Thanks,
- -NGK
On 09/24/2014 09:58 AM, Nathan Kinder wrote:
> Neutron FWaaS rules lack port restrictions when using protocol
> 'any' ---
>
> ### Summary ### A bug in the Neutron FWaaS (Firewall as a Service)
> code results in iptables rules being generated that do not reflect
> desired port restrictions. This behaviour is triggered when a
> protocol other than 'udp' or 'tcp' is specified, e.g. 'any'.
>
> The scope of this bug is limited to Neutron FWaaS and systems built
> upon it. Security Groups are not affected.
>
> ### Affected Services / Software ### Neutron FWaaS, Grizzly,
> Havana, Icehouse
>
> ### Discussion ### When specifying firewall rules using Neutron
> that should match multiple protocols, it is convenient to specify a
> protocol of 'any' in place of defining multiple specific rules.
>
> For example, in order to allow DNS (TCP and UDP) requests, the
> following rule might be defined:
>
> neutron firewall-rule-create --protocol any --destination-port 53
> \ --action allow
>
> However, this rule results in the generation of iptables firewall
> rules that do not reflect the desired port restriction. An example
> generated iptables rule might look like the following:
>
> -A neutron-l3-agent-iv441c58eb2 -j ACCEPT
>
> Note that the restriction on port 53 is missing. As a result, the
> generated rule will match and accept any traffic being processed by
> the rule chain to which it belongs.
>
> Additionally, iptables arranges sets of rules into chains and
> processes packets entering a chain one rule at a time. Rule
> matching stops at the first matched exit condition (e.g. accept or
> drop). Since, the generated rule above will match and accept all
> packets, it will effectively short circuit any filtering rules
> lower down in the chain. Consequently, this can break other
> firewall rules regardless of the protocol specified when defining
> those rules with Neutron. They simply need to appear later in the
> generated iptables rule chain.
>
> This bug is triggered when any protocol other than 'tcp' or 'udp'
> is specified in conjunction with a source or destination port
> number.
>
> ### Recommended Actions ### Avoid the use of 'any' when specifying
> the protocol for Neutron FWaaS rules. Instead, create multiple
> rules for both 'tcp' and 'udp' protocols independently.
>
> A fix has been submitted to Juno.
>
> ### Contacts / References ### This OSSN :
> https://wiki.openstack.org/wiki/OSSN/OSSN-0029 Original LaunchPad
> Bug : https://bugs.launchpad.net/neutron/+bug/1365961 OpenStack
> Security ML : openstack-security at lists.openstack.org OpenStack
> Security Group : https://launchpad.net/~openstack-ossg
>
> _______________________________________________ OpenStack-dev
> mailing list OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUKbWMAAoJEJa+6E7Ri+EVhn4H/3i6o52SNZQsE6eofCWJag1h
GK4rECMuCw1TTe1a8mT0zrA9vigxZFlnpjfb/mXfFprQG4365VuqxxOFN1gimN+Q
xG8oFrm32RhEGi45FAbJr5g00LbemfNCVrJO+GJMSRjv3WykClwXz2HN13OAvejO
KkTaTeLKJQoPjLP1qeAb0Ihce8wR+pgAE+2g0MuaWBbZUIVZXK5CVvfU6NpBzat7
QoFLI9G+mUAHN8faGm15NvslkH+s5wzm9PDhE0ASOUzjKcaSFgLBcNiMTG2dCvjX
7SLrsYQErQop3LwQOpVlfnmhgTA96m5QsN3DaF1RAeAKSf7WU2yeYSujGtBdpes=
=tPf/
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list