Puppet IPtables rules management allows the creation of TCP / UDP rules with empty port value.Some API services in Director are not exposed to public networks, which means $public_ssl_port are empty for some services (for example, Glance, which is deployed by default on both undercloud and overcloud). If SSL is enabled, several IPtables rules are created without a port specified, which opens all traffic for TCP protocol. Example of rule: -A INPUT -p tcp -m comment --comment "100 glance_registry_haproxy_ssl" -m state --state NEW -j ACCEPT
Created puppet-tripleo tracking bugs for this issue: Affects: openstack-rdo [bug 1409689]
Acknowledgments: Name: Ben Nemec (Red Hat)
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:0025 https://rhn.redhat.com/errata/RHSA-2017-0025.html