[Openstack-security] [Bug 1618879] Re: iptables rule always be thrashed when update a little rule
Jeremy Stanley
fungi at yuggoth.org
Tue Sep 27 15:36:41 UTC 2016
I agree with Tristan, this looks like a security hardening opportunity.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1618879
Title:
iptables rule always be thrashed when update a little rule
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When update meter label or rule, iptables_manager will update iptables
rule in router's namespace. In order to, it will clean traffic counter
number collected in interval time, the other iptables always trashing
that will clean old iptalbes rule and generate new same significance
iptables rule.
the example from update meter label:
Generated by iptables_manager
*filter
:neutron-meter-neutron-met - [0:0]
:neutron-meter-r-00599199-632 - [0:0]
-I FORWARD 2 -j neutron-meter-FORWARD
-D FORWARD 4
-I INPUT 1 -j neutron-meter-INPUT
-D INPUT 3
-I OUTPUT 2 -j neutron-meter-OUTPUT
-D OUTPUT 4
-I neutron-filter-top 1 -j neutron-meter-local
-D neutron-filter-top 3
-D neutron-meter-l-00e4e019-099 1
-I neutron-meter-l-00e4e019-099 1
-D neutron-meter-l-01e4e019-099 1
-I neutron-meter-l-01e4e019-099 1
-I neutron-meter-r-00599199-632 1 -i qg-f0732f6f-8e -d 192.168.10.0/24 -j neutron-meter-l-00599199-632
COMMIT
# Completed by iptables_manager
# Generated by iptables_manager
*raw
-I OUTPUT 1 -j neutron-meter-OUTPUT
-D OUTPUT 3
-I PREROUTING 1 -j neutron-meter-PREROUTING
-D PREROUTING 3
COMMIT
# Completed by iptables_manager
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1618879/+subscriptions
More information about the Openstack-security
mailing list