openstack/puppet-tripleo
Code Issues Proposed changes
fec12dfb66
puppet-tripleo/manifests/firewall/rule.pp
Emilien Macchi 70c9dca453 [CVE-2016-9599] Enforce Firewall TCP / UDP rules management 
This closes CVE-2016-9599.

1) Sanitize dynamic HAproxy endpoints firewall rules

Build the hash of firewall rules only when a port is specified. The
HAproxy endpoints are using TCP protocol, which means we have to specify
a port to the IPtables rules.
Some services don't have public network exposure (e.g. Glance Registry),
which means they don't need haproxy_ssl rule.
The code prepare the hash depending on the service_port and
public_ssl_port parameters and create the actual firewall rules only if
one of those or both parameters are specified.
It will prevent new services without public exposure to open all traffic
because no port is specified.

2) Secure Firewall rules creations

The code won't allow to create TCP / UDP IPtables rules in INPUT
or OUTPUT chains without port or sport or dport, because doing it would
allow an IPtables rule opening all traffic for TCP or UDP.
If we try to do that, Puppet catalog will fail with an error explaining
why.
Example of use-cases:
- creating VRRP rules wouldn't require port parameters.
- creating TCP or UDP rules would require port parameters.

3) Allow to open all traffic for TCO / UDP (when desired)

Some use-cases require to open all traffic for all ports on TCP / UDP.
It will be possible if the user gives port = 'all' when creating the
firewall rule.

Backward compatibility:
- if our users created custom TCP / UDP firewall rules without port
  parameters, it won't work anymore, for security purpose.
- if you users want to open TCP / UDP for all ports, they need to pass
  port = 'all' and the rule will be created, though a warning will be
  displayed because this is insecure.
- if our users created custom VRRP rules without port parameters, it
  will still work correctly and rules will be created.
- TCP / UDP rules in FORWARD chain without port are still accepted.

Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
Closes-Bug: #1651831
2016-12-22 12:33:21 -05:00

123 lines
3.3 KiB
Puppet
Raw Blame History

#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Define: tripleo::firewall::rule
#
# Define used to manage IPtables rules.
#
# === Parameters:
#
# [*port*]
# (optional) The port associated to the rule.
# Defaults to undef
#
# [*dport*]
# (optional) The destination port associated to the rule.
# Defaults to undef
#
# [*sport*]
# (optional) The source port associated to the rule.
# Defaults to undef
#
# [*proto*]
# (optional) The protocol associated to the rule.
# Defaults to 'tcp'
#
# [*action*]
# (optional) The action policy associated to the rule.
# Defaults to 'accept'
#
# [*state*]
# (optional) Array of states associated to the rule..
# Defaults to ['NEW']
#
# [*source*]
# (optional) The source IP address associated to the rule.
# Defaults to '0.0.0.0/0'
#
# [*iniface*]
# (optional) The network interface associated to the rule.
# Defaults to undef
#
# [*chain*]
# (optional) The chain associated to the rule.
# Defaults to 'INPUT'
#
# [*destination*]
# (optional) The destination cidr associated to the rule.
# Defaults to undef
#
# [*extras*]
# (optional) Hash of any puppetlabs-firewall supported parameters.
# Defaults to {}
#
define tripleo::firewall::rule (
$port = undef,
$dport = undef,
$sport = undef,
$proto = 'tcp',
$action = 'accept',
$state = ['NEW'],
$source = '0.0.0.0/0',
$iniface = undef,
$chain = 'INPUT',
$destination = undef,
$extras = {},
) {
if $port == 'all' {
warning("All ${proto} traffic will be open on this host.")
# undef so the IPtables rule won't have any port specified.
$port_real = undef
} else {
$port_real = $port
}
$basic = {
'port' => $port_real,
'dport' => $dport,
'sport' => $sport,
'proto' => $proto,
'action' => $action,
'source' => $source,
'iniface' => $iniface,
'chain' => $chain,
'destination' => $destination,
}
if $proto != 'gre' {
$state_rule = {
'state' => $state
}
} else {
$state_rule = {}
}
$rule = merge($basic, $state_rule, $extras)
validate_hash($rule)
# This conditional will ensure that TCP and UDP firewall rules have
# a port specified in the configuration when using INPUT or OUTPUT chains.
# If not, the Puppet catalog will fail.
# If we don't do this sanity check, a user could create some TCP/UDP
# rules without port, and the result would be an iptables rule that allow any
# traffic on the host.
if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
}
create_resources('firewall', { "${title}" => $rule })
}
View Git Blame Copy Permalink