Switch IPv4 rejects from host-prohibit to admin

When generically rejecting connections, we'd prefer to signal to
users clearly that it's the firewall rejecting them. For IPv4 we
previously emitted generic ICMP "no route to host" responses, but
this tends to make it look incorrectly like a routing failure.
Switch to flagging our error responses as "administratively
prohibited" which is more accurate and less confusing. We're also
already using icmp6-adm-prohibited for the v6 rules, so this makes
our v4 ruleset more consistent.

Note that the iptables-extensions(8) manpage indicates "Using
icmp-admin-prohibited with kernels that do not support it will
result in a plain DROP instead of REJECT" but all our kernels should
have support for it these days so this isn't a concern.

Change-Id: Id423f3ec03d0c3c4e40ddef34c38f97167b173f6
This commit is contained in:
Jeremy Stanley 2021-09-20 13:10:25 +00:00
parent f1bcb6a586
commit 7308220484
2 changed files with 2 additions and 2 deletions

View File

@ -34,5 +34,5 @@
{% endif -%} {% endif -%}
{% endfor -%} {% endfor -%}
{% endfor -%} {% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited -A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited
COMMIT COMMIT

View File

@ -100,7 +100,7 @@ def verify_iptables(host):
'-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT', '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
'-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT', '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
'-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT', '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
'-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited' '-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited'
] ]
for rule in needed_rules: for rule in needed_rules:
assert rule in rules assert rule in rules