[jira] [Commented] (VCL-875) Management node loses SSH access if iptables multiport rule exists

Tue, 07 Jul 2015 11:49:57 -0700 

    [ 
https://issues.apache.org/jira/browse/VCL-875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14617171#comment-14617171
 ] 

ASF subversion and git services commented on VCL-875:
-----------------------------------------------------

Commit 1689723 from [~arkurth] in branch 'vcl/trunk'
[ https://svn.apache.org/r1689723 ]

VCL-875
Updated Linux.pm::enable_firewall_port to ignore existing multiport rules when 
determining if adding a rule is necessary.

> Management node loses SSH access if iptables multiport rule exists
> ------------------------------------------------------------------
>
>                 Key: VCL-875
>                 URL: https://issues.apache.org/jira/browse/VCL-875
>             Project: VCL
>          Issue Type: Bug
>          Components: vcld (backend)
>    Affects Versions: 2.4.2
>            Reporter: Andy Kurth
>             Fix For: 2.4.3
>
>
> The 2.4.2 code handles the firewall a bit differently.  It attempts to open 
> up access to each of the management node's IP addresses on any port.  
> Afterwards, it removes rules allowing port 22.  The logic is that the 
> management node can still connect via a rule allowing all ports, even if no 
> specific port 22 rules exist.
> This normally works fine, but can cause the management node to get locked out.
> The old firewall code parses _iptables -L_ output and assembles a hash 
> containing all of the rule information.  It is checking for rules which 
> contain _dpt:_ to specify a destination port.  If it doesn't find this, it 
> assumes the rule applies to all ports.  Rules which have a _multiport_ 
> specification are not parsed properly.  The _multiport_ is ignored and the 
> code assumes the rule applies to all ports.
> When the code attempts to add the rules to allow traffic from the management 
> node's addresses, it checks existing rules.  If it finds one that matches, 
> including any rule which matches the protocol/port that includes the scope 
> argument, a new rule isn't added.  This causes the management node to get 
> locked out.
> Assume the code attempts to open up the MN's a.b.c.d address to any port, and 
> it finds an existing rule allowing traffic from any address which has 
> _multiport dports 5555,6666_.  The code assumes the firewall is already open 
> and doesn't add a new rule.  The port 22 rules are then removed and the 
> management node is locked out. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to