x/tobiko
Code Issues Proposed changes

Set a proper ordering when calling iptables

Browse Source 
Currently we append to the INPUT/OUTPUT tables in order to
simulate network problems. This is problematic because existing
iptables rules are not taken into account.

So today what happens is the following:
1) Fresh system could have rules like:
Chain INPUT (policy ACCEPT 569 packets, 22986 bytes) pkts bytes target     prot opt in     out     source destination
 560K  129M ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 0.0.0.0/0            state NEW /* 001 accept all icmp ipv4 */
 8673  520K ACCEPT     all  --  lo     *       0.0.0.0/0 0.0.0.0/0            state NEW /* 002 accept all to lo interface ipv4 */
    4   240 ACCEPT     tcp  --  *      *       192.168.24.0/24 0.0.0.0/0      multiport dports 22 state NEW /* 003 accept ssh from ctlplane subnet 192.168.24.0/24 ipv4 */
 1234 74040 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            multiport dports 8776 state NEW /* 100 cinder_haproxy ipv4 */
...
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            multiport dports 8778,13778 state NEW /* 138 placement ipv4 */
   56 17982 LOG        all  --  *      *       0.0.0.0/0 0.0.0.0/0            state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4
   56 17982 DROP       all  --  *      *       0.0.0.0/0 0.0.0.0/0            state NEW /* 999 drop all ipv4 */

2) The current code will append the blocking rules which will go after
   the already existing DROP making them useless:
...
   56 17982 LOG        all  --  *      *       0.0.0.0/0 0.0.0.0/0            state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4
   56 17982 DROP       all  --  *      *       0.0.0.0/0 0.0.0.0/0            state NEW /* 999 drop all ipv4 */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            state NEW tcp dpt:22
    0    00 REJECT     all  --  !lo    *       0.0.0.0/0 0.0.0.0/0            reject-with icmp-host-prohibited

Let's make sure we insert them at the top of the chain so that we do not
need to worry about the ordering at all.

Change-Id: Ib86d1b0e26d146e145ed235d10c360f346e75dfa
This commit is contained in:
Michele Baldessari
2020-10-07 17:25:50 +02:00
committed by Pini Komarov
parent 807a3f14ab
commit 602f1dacdf
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tobiko/tests/faults/ha/cloud_disruptions.py
View File

@@ -28,12 +28,12 @@ soft_reset_method = 'sudo reboot'
network_disruption = """
sudo iptables-save -f /root/working.iptables.rules &&
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &&
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j \
sudo iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT &&
sudo iptables -I INPUT 2 -p tcp -m state --state NEW -m tcp --dport 22 -j \
ACCEPT &&
sudo iptables -A INPUT ! -i lo -j REJECT --reject-with icmp-host-prohibited &&
sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT &&
sudo iptables -A OUTPUT ! -o lo -j REJECT --reject-with icmp-host-prohibited
sudo iptables -I INPUT 3 ! -i lo -j REJECT --reject-with icmp-host-prohibited\
&& sudo iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT &&
sudo iptables -I OUTPUT 2 ! -o lo -j REJECT --reject-with icmp-host-prohibited
"""
undisrupt_network = """