Open Stack

I'm not working on nova-network currently, but did in a previous life so
will add a comment.

One of the better ways to do this is to add a rule to the libvirt xml
file to drop all inbound packets to the compute host, something like
this in nova/virt/libvirt/firewall.py:

+    def nova_no_my_ip_address(self):
+        # Drop all IPv4 packets going to CONF.my_ip, since the network
+        # stack will loop them back.
+        retval = "<filter name='nova-no-my-ip-address' chain='ipv4'>"
+        retval += """<rule action='drop' direction='out'>
+                       <ip dstipaddr='%s' />
+                     </rule>""" % CONF.my_ip
+        retval += '</filter>'
+        return retval

Then just put some code in _ensure_static_filters() to define and append
that to the existing filter set.

That's untested and based on older code, I see there is a
get_host_ip_addr() method now that might be a better choice.

My $.02

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316271

Title:
  Network Security: VM hosts can SSH to compute node

Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Hi guys,

      We're still using nova-network and we'll be using it for a while
  and we noticed that the VM guests can contact the compute nodes on all
  ports ... The one we're the most preoccupied with is SSH.   We've
  written the following patch in order to isolate the VM guests from the
  VM hosts.

  --- linux_net.py.orig   2014-05-05 17:25:10.171746968 +0000
  +++ linux_net.py        2014-05-05 18:42:54.569209220 +0000
  @@ -805,6 +805,24 @@

  
   @utils.synchronized('lock_gateway', external=True)
  +def isolate_compute_from_guest(network_ref):
  +    if not network_ref:
  +        return
  +
  +    iptables_manager.ipv4['filter'].add_rule('INPUT',
  +                                             '-p tcp -d %s --dport 8775 '
  +                                             '-j ACCEPT' % network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('FORWARD',
  +                                             '-p tcp -d %s --dport 8775 '
  +                                             '-j ACCEPT' % network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('INPUT',
  +                                             '-d %s '
  +                                             '-j DROP' % network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('FORWARD',
  +                                             '-d %s '
  +                                             '-j DROP' % network_ref['dhcp_server'])
  +    iptables_manager.apply()
  +
   def initialize_gateway_device(dev, network_ref):
       if not network_ref:
           return
  @@ -1046,6 +1064,7 @@
               try:
                   _execute('kill', '-HUP', pid, run_as_root=True)
                   _add_dnsmasq_accept_rules(dev)
  +                isolate_compute_from_guest(network_ref)
                   return
               except Exception as exc:  # pylint: disable=W0703
                   LOG.error(_('Hupping dnsmasq threw %s'), exc)
  @@ -1098,6 +1117,7 @@

       _add_dnsmasq_accept_rules(dev)

  +    isolate_compute_from_guest(network_ref)

   @utils.synchronized('radvd_start')
   def update_ra(context, dev, network_ref):

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions