Bug 230433 - /etc/xen/scripts/vif-bridge shouldn't call handle_iptable
/etc/xen/scripts/vif-bridge shouldn't call handle_iptable
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
7
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Xen Maintainance List
Martin Jenner
http://bugzilla.xensource.com/bugzill...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-28 15:36 EST by Jarkko
Modified: 2008-03-03 02:38 EST (History)
2 users (show)

See Also:
Fixed In Version: 3.1.2-2.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-03 02:38:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jarkko 2007-02-28 15:36:55 EST
Description of problem:

/etc/xen/scripts/vif-bridge should *not* call "handle_iptable" (from
/etc/xen/scripts/vif-common.sh) which sets iptables forwarding rules because a
bridge is not a router. No iptables rules are needed for bridging.

This opens an unnecessary _security hole_ to the firewall.

The handle_iptable call should be removed from /etc/xen/scripts/vif-bridge.


Version-Release number of selected component (if applicable): xen-3.0.4-6.fc7


Additional information:

I set severity to high because this *is* a real security issue.

I'm not sure who is the author of "/etc/xen/scripts/vif-bridge" (upstream or
Fedora). If this comes from upstream, please let them know so that we get this
fixed.
Comment 1 Daniel Berrange 2007-03-01 12:28:38 EST
The vif-bridge script comes from upstream xen-devel.

In the context of Fedora there are 3 possibilites:

 a) no firewall rules: the extra rules don't allow any traffic which wasn't
already allowed
 b) stanadrd Fedora firewall rules: there is a catch all 'REJECT' rule in the
RH-Firewall-1-INPUT, which gets processed before the rules added by vir-bridge,
so there's no issue there.
 c) custom user added firewall rules: if relying on chain policy to DROP/REJECT
any non-matching packets then the vif-network rules will open up an undesirable
channel. If there is an explicit DROP/REJECT rule, then this should prevent the
vif-network rules matching

So there is a flaw because of the vif-bridge script, but it only hits if the
user has custom firewall rules. Will figure out a patch for the next update of
Xen RPMs.
Comment 2 Jarkko 2007-03-01 19:05:48 EST
The patch should just simply remove the handle_iptable line because iptables is
not needed for bridging (and iptables forwarding rules don't even affect how the
bridge works).

From "Objectives of Fedora": "To do as much of the development work as possible
directly in the upstream packages."

So, here we go:

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=914
Comment 3 Red Hat Bugzilla 2007-07-24 20:06:28 EDT
change QA contact
Comment 4 Chris Lalancette 2008-02-26 18:58:56 EST
This report targets FC6, which is now end-of-life.

Please re-test against Fedora 7 or later, and if the issue persists, open a new bug.

Thanks
Comment 5 Jarkko 2008-02-27 01:59:48 EST
Actually this bug targets rawhide. And this issue was found in F7.

I assume this has not been fixed because the upstream bug is still marked as
NEW. (Which is weird by the way. Such an easy fix and they have not even taken
the issue under work...)

I'm reopening this bug because F7 is not end-of-life yet.
Comment 6 Daniel Berrange 2008-02-27 07:58:37 EST
I believe this is fixed in rawhide, but need to double-check.
Comment 7 Jarkko 2008-03-03 02:38:45 EST
xen-3.1.2-2.fc7.src.rpm (latest xen in stable F7 updates):

grep handle_iptable SOURCES/xen-net-bridge.patch 
-handle_iptable

So yes, it is fixed in Fedora - even in F7. Closing the bug now. The "Fixed in
version" in this case means "Fixed at least in version". :)

Note You need to log in before you can comment on or make changes to this bug.