Do not set net.ipv4.ip_forward sysctl

To prevent a security issue. More details in the reno. Change-Id: I8bb398e299aa68147004723a18d3a1ec459011e5 Closes-Bug: #1945453
2021-09-20 09:00:23 +00:00 · 2021-09-20 09:00:23 +00:00 · 1bfed045cf
commit 1bfed045cf
parent 56938253a7
2 changed files with 16 additions and 1 deletions
--- a/ansible/roles/neutron/tasks/config-host.yml
+++ b/ansible/roles/neutron/tasks/config-host.yml
@ -25,7 +25,6 @@
    sysctl_set: "{{ should_set }}"
    sysctl_file: "{{ kolla_sysctl_conf_path }}"
  with_items:
-    - { name: "net.ipv4.ip_forward", value: 1}
    - { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
    - { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
    - { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"}
--- a/releasenotes/notes/bug-1945453-c410cc090cb85feb.yaml
+++ b/releasenotes/notes/bug-1945453-c410cc090cb85feb.yaml
@ -0,0 +1,16 @@
+---
+security:
+  - |
+    Fixes ``net.ipv4.ip_forward`` not to be enabled by Kolla Ansible
+    on the default network namespace.
+    It was enabled on hosts with Neutron L3 Agent (thus in most common
+    setups with OVS and/or Linux Bridge, but not OVN) and allowed,
+    unless users had extra iptables rules to avoid that, any traffic
+    to be accepted for forwarding (as long as it was routable and passed
+    other checks).
+    Users of existing setups are advised to re-evaluate whether they
+    need this sysctl enabled and disable if not necessary.
+    Kolla Ansible will simply no longer try to set this sysctl at all.
+    Neutron L3 Agent handles forwarding enablement per managed
+    namespace.
+    `LP#1945453 <https://launchpad.net/bugs/1945453>`__