yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1187397] Re: nova-network allows all outgoing traffic

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Joe Gordon <1187397@xxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Jul 2014 23:38:39 -0000
Reply-to: Bug 1187397 <1187397@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

not in progress anymore,  this is more of a feature request then a bug

** Changed in: nova
       Status: In Progress => Opinion

** Changed in: nova
     Assignee: Bernhard M. Wiedemann (ubuntubmw) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1187397

Title:
  nova-network allows all outgoing traffic

Status in OpenStack Compute (Nova):
  Opinion

Bug description:
  Having a cloud running with nova-network by default allows all outgoing traffic.
  While you can restrict access to the internet, there is no easy way to restrict VM access to private cloud infrastructure IP addresses.

  For reference, this was tracked for essex-based SUSE Cloud 1.0 
  https://bugzilla.novell.com/show_bug.cgi?id=777488 
  filed on 2012-08-27

  VMs route all their traffic 
  through their host's IP in the nova_fixed network

  Since we have asymmetric routing, 
  it is not enough to disable forwarding 
  on the interface used for the admin network
  because replies come in through a different interface.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1187397/+subscriptions