yahoo-eng-team team mailing list archive

[Joe Gordon <1054042@xxxxxxxxxxxxxxxxxx>]

** Changed in: nova
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1054042

Title:
  Nova-network bridges traffic between tenant VLANs by default

Status in OpenStack Compute (Nova):
  Won't Fix

Bug description:
  We're running Openstack Essex (openstack-nova-2012.1-7.el6.noarch) on
  Centos 6.3. We use VLANs (nova.network.manager.VlanManager) to
  separete the tenants from each other.

  We noticed that the nova-network host that acts as a gateway for the
  virtual machines bridges all traffic between the VLANs. This means
  that any tenant has access to any other tenant's network, and other
  internal networks that happen to be available. It seems that the
  problems are these firewall rules

  -A nova-network-FORWARD -i br100 -j ACCEPT 
  -A nova-network-FORWARD -o br100 -j ACCEPT 
  -A nova-network-FORWARD -d 192.168.100.2/32 -p udp -m udp --dport 1194 -j ACCEPT 
  -A nova-network-FORWARD -i br101 -j ACCEPT 
  -A nova-network-FORWARD -o br101 -j ACCEPT 
  -A nova-network-FORWARD -d 192.168.101.2/32 -p udp -m udp --dport 1194 -j ACCEPT 

  Nova-network should definately not forward all traffic from the bridges since it's in the other tenants networks too. It should be something like
  -A nova-network-FORWARD -i br100 -o $external_interface -j ACCEPT 
  -A nova-network-FORWARD -i br100  -j DROP 

  Other services (metadata) should however be considered, so that
  traffic isn't dropped. The ouput rule is also way too liberal, since
  it is processed before the next bridge's input rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1054042/+subscriptions