yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #15061
[Bug 1325986] [NEW] When VM do not have fixed_ip, Allowed address pair should not allow all the IPs by default
Public bug reported:
If we create a VM without fixed_ip, there will be the following rule add
in spoof filter chain :
neutron/agent/linux/iptables_firewall.py
188 def _setup_spoof_filter_chain(self, port, table, mac_ip_pairs, rules):
189 if mac_ip_pairs:
190 chain_name = self._port_chain_name(port, SPOOF_FILTER)
191 table.add_chain(chain_name)
192 for mac, ip in mac_ip_pairs:
193 if ip is None:
194 # If fixed_ips is [] this rule will be added to the end
195 # of the list after the allowed_address_pair rules.
196 table.add_rule(chain_name,
197 '-m mac --mac-source %s -j RETURN'
198 % mac)
Then we will have the following rule after allowed_address_pair rules:
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC $MAC_ADDRESS
This rule will hit all the ips, but here we should not allow all the ips ...
So I think we should not add this rule.
** Affects: neutron
Importance: Undecided
Assignee: Liping Mao (limao)
Status: New
** Changed in: neutron
Assignee: (unassigned) => Liping Mao (limao)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1325986
Title:
When VM do not have fixed_ip, Allowed address pair should not allow
all the IPs by default
Status in OpenStack Neutron (virtual network service):
New
Bug description:
If we create a VM without fixed_ip, there will be the following rule
add in spoof filter chain :
neutron/agent/linux/iptables_firewall.py
188 def _setup_spoof_filter_chain(self, port, table, mac_ip_pairs, rules):
189 if mac_ip_pairs:
190 chain_name = self._port_chain_name(port, SPOOF_FILTER)
191 table.add_chain(chain_name)
192 for mac, ip in mac_ip_pairs:
193 if ip is None:
194 # If fixed_ips is [] this rule will be added to the end
195 # of the list after the allowed_address_pair rules.
196 table.add_rule(chain_name,
197 '-m mac --mac-source %s -j RETURN'
198 % mac)
Then we will have the following rule after allowed_address_pair rules:
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC $MAC_ADDRESS
This rule will hit all the ips, but here we should not allow all the ips ...
So I think we should not add this rule.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1325986/+subscriptions
Follow ups
References