You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@vcl.apache.org by "Andy Kurth (JIRA)" <ji...@apache.org> on 2015/07/07 20:50:04 UTC

[jira] [Resolved] (VCL-875) Management node loses SSH access if iptables multiport rule exists

     [ https://issues.apache.org/jira/browse/VCL-875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy Kurth resolved VCL-875.
----------------------------
    Resolution: Fixed
      Assignee: Andy Kurth

> Management node loses SSH access if iptables multiport rule exists
> ------------------------------------------------------------------
>
>                 Key: VCL-875
>                 URL: https://issues.apache.org/jira/browse/VCL-875
>             Project: VCL
>          Issue Type: Bug
>          Components: vcld (backend)
>    Affects Versions: 2.4.2
>            Reporter: Andy Kurth
>            Assignee: Andy Kurth
>             Fix For: 2.4.3
>
>
> The 2.4.2 code handles the firewall a bit differently.  It attempts to open up access to each of the management node's IP addresses on any port.  Afterwards, it removes rules allowing port 22.  The logic is that the management node can still connect via a rule allowing all ports, even if no specific port 22 rules exist.
> This normally works fine, but can cause the management node to get locked out.
> The old firewall code parses _iptables -L_ output and assembles a hash containing all of the rule information.  It is checking for rules which contain _dpt:_ to specify a destination port.  If it doesn't find this, it assumes the rule applies to all ports.  Rules which have a _multiport_ specification are not parsed properly.  The _multiport_ is ignored and the code assumes the rule applies to all ports.
> When the code attempts to add the rules to allow traffic from the management node's addresses, it checks existing rules.  If it finds one that matches, including any rule which matches the protocol/port that includes the scope argument, a new rule isn't added.  This causes the management node to get locked out.
> Assume the code attempts to open up the MN's a.b.c.d address to any port, and it finds an existing rule allowing traffic from any address which has _multiport dports 5555,6666_.  The code assumes the firewall is already open and doesn't add a new rule.  The port 22 rules are then removed and the management node is locked out. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)