From 1bfed045cf13488d0e42b7bf1edcbcd119417fc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Mon, 20 Sep 2021 09:00:23 +0000 Subject: [PATCH] Do not set net.ipv4.ip_forward sysctl To prevent a security issue. More details in the reno. Change-Id: I8bb398e299aa68147004723a18d3a1ec459011e5 Closes-Bug: #1945453 --- ansible/roles/neutron/tasks/config-host.yml | 1 - .../notes/bug-1945453-c410cc090cb85feb.yaml | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-1945453-c410cc090cb85feb.yaml diff --git a/ansible/roles/neutron/tasks/config-host.yml b/ansible/roles/neutron/tasks/config-host.yml index 7f885d6810..79ed2a4483 100644 --- a/ansible/roles/neutron/tasks/config-host.yml +++ b/ansible/roles/neutron/tasks/config-host.yml @@ -25,7 +25,6 @@ sysctl_set: "{{ should_set }}" sysctl_file: "{{ kolla_sysctl_conf_path }}" with_items: - - { name: "net.ipv4.ip_forward", value: 1} - { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"} - { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"} - { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"} diff --git a/releasenotes/notes/bug-1945453-c410cc090cb85feb.yaml b/releasenotes/notes/bug-1945453-c410cc090cb85feb.yaml new file mode 100644 index 0000000000..c239e1e6fe --- /dev/null +++ b/releasenotes/notes/bug-1945453-c410cc090cb85feb.yaml @@ -0,0 +1,16 @@ +--- +security: + - | + Fixes ``net.ipv4.ip_forward`` not to be enabled by Kolla Ansible + on the default network namespace. + It was enabled on hosts with Neutron L3 Agent (thus in most common + setups with OVS and/or Linux Bridge, but not OVN) and allowed, + unless users had extra iptables rules to avoid that, any traffic + to be accepted for forwarding (as long as it was routable and passed + other checks). + Users of existing setups are advised to re-evaluate whether they + need this sysctl enabled and disable if not necessary. + Kolla Ansible will simply no longer try to set this sysctl at all. + Neutron L3 Agent handles forwarding enablement per managed + namespace. + `LP#1945453 `__