Block metadata requests to not go out from the router

Packets send from instances to the metadata service which is running in the router's namespace should never go out from the router. Even if e.g. nat rule to redirect it to port 9697 isn't installed in iptables for some reason, in worst case such requests should be dropped. Before that patch we had in mangle table rules to mark such packets with specific mark. But we didn't block such packets later. This patch adds rule to DROP such packets in the "scope" chain in the filter table. Co-authored-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Related-Bug: #1920778 Change-Id: I6e9eec8fe9606d21fbce3699b4262e0783f667ec
2021-03-25 15:16:58 +01:00 · 2021-03-25 15:16:58 +01:00 · 24dcbcbe09
parent 376b03e3ce
commit 24dcbcbe09
2 changed files with 19 additions and 0 deletions
--- a/neutron/agent/l3/router_info.py
+++ b/neutron/agent/l3/router_info.py
@ -1089,8 +1089,14 @@ class RouterInfo(BaseRouterInfo):
             'interface_name': INTERNAL_DEV_PREFIX + '+',
             'value': self.agent_conf.metadata_access_mark,
             'mask': lib_constants.ROUTER_MARK_MASK})
+        drop_non_local_metadata = (
+            '-m mark --mark %s/%s -j DROP' % (
+                self.agent_conf.metadata_access_mark,
+                lib_constants.ROUTER_MARK_MASK))
        self.iptables_manager.ipv4['mangle'].add_rule(
            'PREROUTING', mark_metadata_for_internal_interfaces)
+        self.iptables_manager.ipv4['filter'].add_rule(
+            'scope', drop_non_local_metadata)

        if netutils.is_ipv6_enabled():
            mark_metadata_v6_for_internal_interfaces = (
@ -1102,8 +1108,14 @@ class RouterInfo(BaseRouterInfo):
                 'interface_name': INTERNAL_DEV_PREFIX + '+',
                 'value': self.agent_conf.metadata_access_mark,
                 'mask': lib_constants.ROUTER_MARK_MASK})
+            drop_non_local_v6_metadata = (
+                '-m mark --mark %s/%s -j DROP' % (
+                    self.agent_conf.metadata_access_mark,
+                    lib_constants.ROUTER_MARK_MASK))
            self.iptables_manager.ipv6['mangle'].add_rule(
                'PREROUTING', mark_metadata_v6_for_internal_interfaces)
+            self.iptables_manager.ipv6['filter'].add_rule(
+                'scope', drop_non_local_v6_metadata)

    def _get_port_devicename_scopemark(
            self, ports, name_generator, interface_name=None):
--- a/neutron/tests/unit/agent/l3/test_agent.py
+++ b/neutron/tests/unit/agent/l3/test_agent.py
@ -4046,8 +4046,15 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
                                 namespaces.INTERNAL_DEV_PREFIX + '+',
                                 'value': self.conf.metadata_access_mark,
                                 'mask': lib_constants.ROUTER_MARK_MASK})])
+        v4_filter_calls = ([mock.call.add_rule(
+                                'scope',
+                                '-m mark --mark %s/%s -j DROP' %
+                                (self.conf.metadata_access_mark,
+                                 lib_constants.ROUTER_MARK_MASK))])
        mock_iptables_manager.ipv4['mangle'].assert_has_calls(v4_mangle_calls,
                                                              any_order=True)
+        mock_iptables_manager.ipv4['filter'].assert_has_calls(v4_filter_calls,
+                                                              any_order=True)

    def test_initialize_metadata_iptables_rules(self):
        id = _uuid()