On 01/09/2015 09:25 PM, Kris G. Lindgren wrote: > Also, If you are running this configuration you should be aware of the > following bug: > > https://bugs.launchpad.net/neutron/+bug/1274034 > > And the corresponding fix: https://review.openstack.org/#/c/141130/ > > Basically - Neutron security group rules do nothing to protect against arp > spoofing/poisoning from vm's. So its possible under a shared network > configuration for a vm to arp for another vm's ip address and temporarily > knock that vm offline. The above commit - which is still a WIP adds > ebtable rules to allow neutron to filter protocols other than IP (eg arp). Thank you!
I just done playing with private networks (as external networks) and start to tuning internet network. And I saw something strange when I was doing a pentest from one of the instance. I'm going to check each thing from list in the bug description. But I thought that security groups, antispoofing and other things are nova-driven? _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
