Allow to request metadata proxy only with redirection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
https:/
commit 1d776bc16c033f3
Author: Cedric Brandily <email address hidden>
Date: Mon Nov 10 14:46:51 2014 +0100
Allow to request metadata proxy only with redirection
metadata service should be requested on 169.254.169.254:80 and router
namespace iptables rules redirect the request to the metadata-ns-proxy
on 127.0.0.
requested directly on $router-
To avoid such behavior, this change marks packets redirection in mangle
table (PREROUTING), redirects (PREROUTING) them in nat table, accepts
them in filter table (INPUT) using the mark. Packets send to the
metadata proxy port without mark (so directly) are dropped. The
mark can be configured through the new option metadata_
Remark: redirected packets are not local packets (in general), so
setting metadata proxy server host to 127.0.0.1 will disallow direct
queries but so redirected queries.
DocImpact
Partial-Bug: #1187102
Change-Id: I6a9bb12c8bf68c
Changed in openstack-manuals: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
milestone: | none → kilo |
Changed in openstack-manuals: | |
milestone: | kilo → liberty |
Changed in openstack-manuals: | |
milestone: | liberty → mitaka |
Changed in openstack-manuals: | |
milestone: | mitaka → newton |
Changed in openstack-manuals: | |
milestone: | newton → ocata |
Changed in openstack-manuals: | |
status: | Confirmed → Won't Fix |