← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #17457

[Bug 1346372] [NEW] The default value of quota_firewall_rule should not be -1

  Thread PreviousDate PreviousThread Next 
Public bug reported:

the default value of "quota_firewall_rule" is "-1", and this means unlimited. There will be potential security issue if openstack admin do not modify this default value. 
A bad tenant User can create unlimited firewall rules to "attack" network node, in the backend, we will have a large number of iptables rules. This will make the network node crash or very slow.

So I suggest we use another number but not "-1" here.

** Affects: neutron
     Importance: Undecided
     Assignee: Liping Mao (limao)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Liping Mao (limao)

** Description changed:

- the default value of "quota_firewall_rule" is "-1", and this means
- unlimited. There will be potential security issue if openstack admin do
- not modify this default value. Tenant User can create unlimited firewall
- rules , in the backend, we will have many iptables rules. This may make
- the network node crash or very slow.
+ the default value of "quota_firewall_rule" is "-1", and this means unlimited. There will be potential security issue if openstack admin do not modify this default value. 
+ A bad tenant User can create unlimited firewall rules to "attack" network node, in the backend, we will have a large number of iptables rules. This will make the network node crash or very slow.
  
  So I suggest we use another number but not "-1" here.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1346372

Title:
  The default value of quota_firewall_rule should not be -1

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  the default value of "quota_firewall_rule" is "-1", and this means unlimited. There will be potential security issue if openstack admin do not modify this default value. 
  A bad tenant User can create unlimited firewall rules to "attack" network node, in the backend, we will have a large number of iptables rules. This will make the network node crash or very slow.

  So I suggest we use another number but not "-1" here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1346372/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next