Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.4.2
-
None
Description
The 2.4.2 code handles the firewall a bit differently. It attempts to open up access to each of the management node's IP addresses on any port. Afterwards, it removes rules allowing port 22. The logic is that the management node can still connect via a rule allowing all ports, even if no specific port 22 rules exist.
This normally works fine, but can cause the management node to get locked out.
The old firewall code parses iptables -L output and assembles a hash containing all of the rule information. It is checking for rules which contain dpt: to specify a destination port. If it doesn't find this, it assumes the rule applies to all ports. Rules which have a multiport specification are not parsed properly. The multiport is ignored and the code assumes the rule applies to all ports.
When the code attempts to add the rules to allow traffic from the management node's addresses, it checks existing rules. If it finds one that matches, including any rule which matches the protocol/port that includes the scope argument, a new rule isn't added. This causes the management node to get locked out.
Assume the code attempts to open up the MN's a.b.c.d address to any port, and it finds an existing rule allowing traffic from any address which has multiport dports 5555,6666. The code assumes the firewall is already open and doesn't add a new rule. The port 22 rules are then removed and the management node is locked out.