Andy Kurth created VCL-875:
------------------------------
Summary: Management node loses SSH access if iptables multiport
rule exists
Key: VCL-875
URL: https://issues.apache.org/jira/browse/VCL-875
Project: VCL
Issue Type: Bug
Components: vcld (backend)
Affects Versions: 2.4.2
Reporter: Andy Kurth
Fix For: 2.4.3
The 2.4.2 code handles the firewall a bit differently. It attempts to open up
access to each of the management node's IP addresses on any port. Afterwards,
it removes rules allowing port 22. The logic is that the management node can
still connect via a rule allowing all ports, even if no specific port 22 rules
exist.
This normally works fine, but can cause the management node to get locked out.
The old firewall code parses _iptables -L_ output and assembles a hash
containing all of the rule information. It is checking for rules which contain
_dpt:_ to specify a destination port. If it doesn't find this, it assumes the
rule applies to all ports. Rules which have a _multiport_ specification are
not parsed properly. The _multiport_ is ignored and the code assumes the rule
applies to all ports.
When the code attempts to add the rules to allow traffic from the management
node's addresses, it checks existing rules. If it finds one that matches,
including any rule which matches the protocol/port that includes the scope
argument, a new rule isn't added. This causes the management node to get
locked out.
Assume the code attempts to open up the MN's a.b.c.d address to any port, and
it finds an existing rule allowing traffic from any address which has
_multiport dports 5555,6666_. The code assumes the firewall is already open
and doesn't add a new rule. The port 22 rules are then removed and the
management node is locked out.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
