The security note for this issue has been published as OSSN-0029: https://wiki.openstack.org/wiki/OSSN/OSSN-0029
** Changed in: ossn Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1365961 Title: Dangerous iptables rule generated in case of protocol "any" and source-port/destination-port usage Status in OpenStack Neutron (virtual network service): Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: Icehouse 2014.1.2, FWaas using iptables driver In order to allow DNS (TCP and UDP) request, the following rule was defined: neutron firewall-rule-create --protocol any --destination-port 53 --action allow On L3agent namespace this has been translated in the following iptables rules: -A neutron-l3-agent-iv441c58eb2 -j ACCEPT -A neutron-l3-agent-ov441c58eb2 -j ACCEPT => there is no restriction on the destination port(53), like we could expect it !!! There is 2 solutions to handle this issue: 1) Doesn't allow user to create a rule specifing protocol "any" AND a source-port/destination-port. 2) Generating the following rules (like some firewalls do): -A neutron-l3-agent-iv441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT -A neutron-l3-agent-iv441c58eb2 -p udp -m udp --dport 53 -j ACCEPT -A neutron-l3-agent-ov441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT -A neutron-l3-agent-ov441c58eb2 -p udp -m udp --dport 53 -j ACCEPT => TCP and UDP have been completed. The source code affected is located in neutron/services/firewall/drivers/linux/iptables_fwaas.py (L268) def _port_arg(self, direction, protocol, port): if not (protocol in ['udp', 'tcp'] and port): return '' return '--%s %s' % (direction, port) => trunk code is affected too. Nota: This is not a real Neutron security vulnerability but it is a real security vulnerability for applications living in the Openstack cloud... That's why I tagged it as "security vulnerability" Regards, To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1365961/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp