yahoo-eng-team team mailing list archive

Thread
Date

[Bug 796018] Re: provider firewall rules should block outbound traffic to specified hosts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sdague@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Mar 2013 18:46:52 -0000
Reply-to: Bug 796018 <796018@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/796018

Title:
  provider firewall rules should block outbound traffic to specified
  hosts

Status in OpenStack Compute (Nova):
  Opinion

Bug description:
  Provider firewall rules are currently implemented as a in instance
  chains (eg. nova-compute-instance-2).  This currently only matches
  incoming traffic due to the jump to the instance chain being matched
  using the destination ip of the instance (eg. nova-compute-local -d
  10.0.0.3 -j nova-compute-inst-2).  This works fine for filtering
  incoming, unsolicited traffic.

  It would also be nice to block new connections to the hosts that are
  blacklisted via provider rules.  The best way to do this might be to
  add rules in nova-compute-OUTPUT during calls to
  refresh_provider_fw_rules in the firewall driver.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/796018/+subscriptions