yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1518296] Re: Non snated packet should be blocked

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kevin Benton <1518296@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Feb 2016 01:17:58 -0000
Reply-to: Bug 1518296 <1518296@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

If you have SNAT disabled and don't want traffic to flow onto the
external network, why would you attach an interface to the external
network in the first place?

** Changed in: neutron
       Status: In Progress => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1518296

Title:
  Non snated packet should be blocked

Status in neutron:
  Opinion

Bug description:
  In current neutron, when running "neutron router-gateway-set" with
  specified router's "enable_snat" is false, then non-SNAT'ed packets
  can arrive at other tenant via external-network.  The packets don't
  pass through other tenant's gateway, but take extra load to external
  network.

  The packet should be NAT'ed when flowing on external network.  Non-
  SNAT'ed packets don't need to flow on external network.

  Therefore, non-SNAT'ed packets should be dropped at inside of own
  tenant.

  I will fix as follows:

    * The router is Legacy mode and enable_snat is True:
      No change from current implementation.

    * The router is Legacy mode and enable_snat is False:
      Add new rule for dropping outbound non-SNAT'ed packets.

    * The router is DVR mode and enable_snat is True:
      No change from current implementation.

    * The router is Legacy mode and enable_snat is False:
      Don't create SNAT name space.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1518296/+subscriptions

References

[Bug 1518296] [NEW] Non snated packet should be blocked
From: Takanori Miyagishi, 2015-11-20