opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/iptables/templates/rules.v6.j2
Ian Wienand 11343cc75d dns_[a|aaaa] filter; use host for lookup 
After adding iptables configuration to allow bridge.o.o to send stats
to graphite.o.o in I299c0ab5dc3dea4841e560d8fb95b8f3e7df89f2, I
encountered the weird failure that ipv6 rules seemed to be applied on
graphite.o.o, but not the ipv4 ones.

Eventually I realised that the dns_a filter as written is using
socket.getaddrinfo() on bridge.o.o and querying for itself.  It thus
gets matches the loopback entry in /etc/hosts and passes along a rule
for 127.0.1.1 or similar.  The ipv6 hostname is not in /etc/hosts so
this works there.

What we really want the dns_<a|aaaa> filters to do is lookup the
address in DNS, rather than the local resolver.  Without wanting to
get involved in new libraries, etc. the simplest option seems to be to
use the well-known 'host' tool.  We can easily parse the output of
this to ensure we're getting the actual DNS addresses for hostnames.

An ipv6 match is added to the existing test.  This is effectively
tested by the existing usage of the iptables role which sets up rules
for cacti.o.o access.

Change-Id: Ia7988626e9b1fba998fee796d4016fc66332ec03
2018-09-13 22:50:40 +10:00

31 lines
1.1 KiB
Django/Jinja
Raw Blame History

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmpv6 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Public TCP ports
{% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Public UDP ports
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host rules
{% for rule in iptables_rules_v6 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
{% for host in iptables_allowed_hosts -%}
{% for addr in host.hostname | dns_aaaa -%}
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %}-m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
View Git Blame Copy Permalink