summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEmilien Macchi <emilien@redhat.com>2016-12-21 15:10:52 -0500
committerEmilien Macchi <emilien@redhat.com>2016-12-22 12:33:21 -0500
commit70c9dca45335150daae65d0bbf44908711b0f1d2 (patch)
tree641692833aa4f3fb6c7ea963f697d7e91133809b
parent1adc49a38985a884ca66643bc528e1c3298a75e1 (diff)
[CVE-2016-9599] Enforce Firewall TCP / UDP rules management
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
-rw-r--r--manifests/firewall/rule.pp19
-rw-r--r--manifests/haproxy/endpoint.pp29
-rw-r--r--spec/classes/tripleo_firewall_spec.rb17
3 files changed, 54 insertions, 11 deletions
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 6801dc4..816e6fe 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -77,8 +77,16 @@ define tripleo::firewall::rule (
$extras = {},
) {
+ if $port == 'all' {
+ warning("All ${proto} traffic will be open on this host.")
+ # undef so the IPtables rule won't have any port specified.
+ $port_real = undef
+ } else {
+ $port_real = $port
+ }
+
$basic = {
- 'port' => $port,
+ 'port' => $port_real,
'dport' => $dport,
'sport' => $sport,
'proto' => $proto,
@@ -100,6 +108,15 @@ define tripleo::firewall::rule (
$rule = merge($basic, $state_rule, $extras)
validate_hash($rule)
+ # This conditional will ensure that TCP and UDP firewall rules have
+ # a port specified in the configuration when using INPUT or OUTPUT chains.
+ # If not, the Puppet catalog will fail.
+ # If we don't do this sanity check, a user could create some TCP/UDP
+ # rules without port, and the result would be an iptables rule that allow any
+ # traffic on the host.
+ if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
+ fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
+ }
create_resources('firewall', { "${title}" => $rule })
}
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 4311049..0bba245 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -149,14 +149,27 @@ define tripleo::haproxy::endpoint (
}
if hiera('manage_firewall', true) {
include ::tripleo::firewall
- $firewall_rules = {
- "100 ${name}_haproxy" => {
- 'dport' => $service_port,
- },
- "100 ${name}_haproxy_ssl" => {
- 'dport' => $public_ssl_port,
- },
+ # This block will construct firewall rules only when we specify
+ # a port for the regular service and also the ssl port for the service.
+ # It makes sure we're not trying to create TCP iptables rules where no port
+ # is specified.
+ if $service_port {
+ $haproxy_firewall_rules = {
+ "100 ${name}_haproxy" => {
+ 'dport' => $service_port,
+ },
+ }
+ }
+ if $public_ssl_port {
+ $haproxy_ssl_firewall_rules = {
+ "100 ${name}_haproxy_ssl" => {
+ 'dport' => $public_ssl_port,
+ },
+ }
+ }
+ $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
+ if $service_port or $public_ssl_port {
+ create_resources('tripleo::firewall::rule', $firewall_rules)
}
- create_resources('tripleo::firewall::rule', $firewall_rules)
}
}
diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb
index 3116a51..3a1a0a0 100644
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@@ -74,7 +74,7 @@ describe 'tripleo::firewall' do
:firewall_rules => {
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
- '302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
+ '302 fwd custom cidr 1' => {'port' => 'all', 'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
'303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
'305 add gre rule' => {'proto' => 'gre'}
@@ -96,7 +96,8 @@ describe 'tripleo::firewall' do
)
is_expected.to contain_firewall('302 fwd custom cidr 1').with(
:chain => 'FORWARD',
- :destination => '192.0.2.0/24',
+ :proto => 'tcp',
+ :destination => '192.0.2.0/24',
)
is_expected.to contain_firewall('303 add custom application 3').with(
:dport => '8081',
@@ -114,6 +115,18 @@ describe 'tripleo::firewall' do
end
end
+ context 'with TCP rule without port or dport or sport specified' do
+ before :each do
+ params.merge!(
+ :manage_firewall => true,
+ :firewall_rules => {
+ '500 wrong tcp rule' => {'proto' => 'tcp', 'action' => 'accept'},
+ }
+ )
+ end
+ it_raises 'a Puppet::Error', /500 wrong tcp rule firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport./
+ end
+
end
on_supported_os.each do |os, facts|