Block metadata requests to not go out from the router
Packets send from instances to the metadata service which is running in the router's namespace should never go out from the router. Even if e.g. nat rule to redirect it to port 9697 isn't installed in iptables for some reason, in worst case such requests should be dropped. Before that patch we had in mangle table rules to mark such packets with specific mark. But we didn't block such packets later. This patch adds rule to DROP such packets in the "scope" chain in the filter table. Co-authored-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Related-Bug: #1920778 Change-Id: I6e9eec8fe9606d21fbce3699b4262e0783f667ec
This commit is contained in:
parent
376b03e3ce
commit
24dcbcbe09
|
@ -1089,8 +1089,14 @@ class RouterInfo(BaseRouterInfo):
|
|||
'interface_name': INTERNAL_DEV_PREFIX + '+',
|
||||
'value': self.agent_conf.metadata_access_mark,
|
||||
'mask': lib_constants.ROUTER_MARK_MASK})
|
||||
drop_non_local_metadata = (
|
||||
'-m mark --mark %s/%s -j DROP' % (
|
||||
self.agent_conf.metadata_access_mark,
|
||||
lib_constants.ROUTER_MARK_MASK))
|
||||
self.iptables_manager.ipv4['mangle'].add_rule(
|
||||
'PREROUTING', mark_metadata_for_internal_interfaces)
|
||||
self.iptables_manager.ipv4['filter'].add_rule(
|
||||
'scope', drop_non_local_metadata)
|
||||
|
||||
if netutils.is_ipv6_enabled():
|
||||
mark_metadata_v6_for_internal_interfaces = (
|
||||
|
@ -1102,8 +1108,14 @@ class RouterInfo(BaseRouterInfo):
|
|||
'interface_name': INTERNAL_DEV_PREFIX + '+',
|
||||
'value': self.agent_conf.metadata_access_mark,
|
||||
'mask': lib_constants.ROUTER_MARK_MASK})
|
||||
drop_non_local_v6_metadata = (
|
||||
'-m mark --mark %s/%s -j DROP' % (
|
||||
self.agent_conf.metadata_access_mark,
|
||||
lib_constants.ROUTER_MARK_MASK))
|
||||
self.iptables_manager.ipv6['mangle'].add_rule(
|
||||
'PREROUTING', mark_metadata_v6_for_internal_interfaces)
|
||||
self.iptables_manager.ipv6['filter'].add_rule(
|
||||
'scope', drop_non_local_v6_metadata)
|
||||
|
||||
def _get_port_devicename_scopemark(
|
||||
self, ports, name_generator, interface_name=None):
|
||||
|
|
|
@ -4046,8 +4046,15 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
|
|||
namespaces.INTERNAL_DEV_PREFIX + '+',
|
||||
'value': self.conf.metadata_access_mark,
|
||||
'mask': lib_constants.ROUTER_MARK_MASK})])
|
||||
v4_filter_calls = ([mock.call.add_rule(
|
||||
'scope',
|
||||
'-m mark --mark %s/%s -j DROP' %
|
||||
(self.conf.metadata_access_mark,
|
||||
lib_constants.ROUTER_MARK_MASK))])
|
||||
mock_iptables_manager.ipv4['mangle'].assert_has_calls(v4_mangle_calls,
|
||||
any_order=True)
|
||||
mock_iptables_manager.ipv4['filter'].assert_has_calls(v4_filter_calls,
|
||||
any_order=True)
|
||||
|
||||
def test_initialize_metadata_iptables_rules(self):
|
||||
id = _uuid()
|
||||
|
|
Loading…
Reference in New Issue