← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #62169

[Bug 1622753] Re: [RFE] Block non-IP traffic in security groups/firewall driver

  Thread PreviousDate PreviousThread Next 
Ping?

** Changed in: neutron
       Status: Triaged => Invalid

** Changed in: neutron
       Status: Invalid => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1622753

Title:
  [RFE] Block non-IP traffic in security groups/firewall driver

Status in neutron:
  Incomplete

Bug description:
  Presently the IPTables firewall driver (the reference security group
  implementation) permits all non-IP traffic to ingress and egress an
  instance port. This should be altered to block non-IP traffic by
  default.

  Security groups are a collection of rules which specify which traffic
  should be permitted into and out of an instance port. By only
  including allow rules, the order in which rules are enforced doesn't
  matter. Security groups are deny all by default except in for non-IP
  traffic. This was largely an oversight, since the original
  implementation just used iptables which doesn't filter non-IP traffic.
  Later ebtables was employed to filter ARP message (which are non-IP
  frames), but other Ethertypes besides IPv4, IPv6 and ARP are
  unfiltered.

  Since non-IP traffic is not routed by Neutron, there is no Internet
  facing security risk. In the case of a shared network, this is a cross
  tenant/project security risk.

  Since this would significantly alter the behavior of security groups I
  propose making change in several stages:

  1. Introduce a new configuration option to specify the firewall driver behavior for non-IP traffic. This should default to allow initially. Modify the IPtables firewall driver to honor this configuration.
  2. Change the default of this new configuration option to deny.
  3. Introduce an extension to security groups which permits arbitrary 16-bit values to be specified as Ethertypes, so tenant's can use security groups to filter non-IP traffic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1622753/+subscriptions

References

  Thread PreviousDate PreviousThread Next