yahoo-eng-team team mailing list archive

[Launchpad Bug Tracker <1325986@xxxxxxxxxxxxxxxxxx>]

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1325986

Title:
  When VM do not have fixed_ip, Allowed address pair should not allow
  all the IPs by default

Status in neutron:
  Expired

Bug description:
  If we create a VM without fixed_ip, there will be the following rule
  add in spoof filter chain :

  neutron/agent/linux/iptables_firewall.py
  188     def _setup_spoof_filter_chain(self, port, table, mac_ip_pairs, rules):
  189         if mac_ip_pairs:
  190             chain_name = self._port_chain_name(port, SPOOF_FILTER)
  191             table.add_chain(chain_name)
  192             for mac, ip in mac_ip_pairs:
  193                 if ip is None:
  194                     # If fixed_ips is [] this rule will be added to the end
  195                     # of the list after the allowed_address_pair rules.
  196                     table.add_rule(chain_name,
  197                                    '-m mac --mac-source %s -j RETURN'
  198                                    % mac)

  Then we will have the following rule after allowed_address_pair rules:
      0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC $MAC_ADDRESS

  This rule will hit all the ips, but here we should not allow all the ips ...
  So I think we should not add this rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1325986/+subscriptions