From 7308220484db88f95fed99edff47650ed1565326 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Mon, 20 Sep 2021 13:10:25 +0000 Subject: [PATCH] Switch IPv4 rejects from host-prohibit to admin When generically rejecting connections, we'd prefer to signal to users clearly that it's the firewall rejecting them. For IPv4 we previously emitted generic ICMP "no route to host" responses, but this tends to make it look incorrectly like a routing failure. Switch to flagging our error responses as "administratively prohibited" which is more accurate and less confusing. We're also already using icmp6-adm-prohibited for the v6 rules, so this makes our v4 ruleset more consistent. Note that the iptables-extensions(8) manpage indicates "Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT" but all our kernels should have support for it these days so this isn't a concern. Change-Id: Id423f3ec03d0c3c4e40ddef34c38f97167b173f6 --- playbooks/roles/iptables/templates/rules.v4.j2 | 2 +- testinfra/util.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/roles/iptables/templates/rules.v4.j2 b/playbooks/roles/iptables/templates/rules.v4.j2 index 0b3c3f268c..9fd3e78d18 100644 --- a/playbooks/roles/iptables/templates/rules.v4.j2 +++ b/playbooks/roles/iptables/templates/rules.v4.j2 @@ -34,5 +34,5 @@ {% endif -%} {% endfor -%} {% endfor -%} --A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited +-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited COMMIT diff --git a/testinfra/util.py b/testinfra/util.py index d494d86c4e..127e581dcc 100644 --- a/testinfra/util.py +++ b/testinfra/util.py @@ -100,7 +100,7 @@ def verify_iptables(host): '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT', '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT', '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT', - '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited' + '-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited' ] for rule in needed_rules: assert rule in rules