Reviewed: https://review.openstack.org/633211
Committed:
https://git.openstack.org/cgit/openstack/neutron/commit/?id=72d9c3ccb34f5c5abb8de0b32d4ef1660b9f502f
Submitter: Zuul
Branch: stable/pike
commit 72d9c3ccb34f5c5abb8de0b32d4ef1660b9f502f
Author: Jens Harbott <j.harb...@x-ion.de>
Date: Mon Oct 29 17:08:33 2018 +0000
Secure dnsmasq process against external abuse
Currently any dhcp agent instance will work as an open resolver. For
deployments using publicly routed addresses for tenant networks, this
allows the agent being abused in dDoS attacks, see [1].
By setting the `--local-service` option dnsmasq will filter DNS queries
and reply only to queries from directly attached networks.
[1] https://bugs.launchpad.net/neutron/+bug/1501206
Conflicts:
neutron/cmd/sanity_check.py
Closes-Bug: 1501206
Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e
(cherry picked from commit 0fce3ca2c1641fbcfb8327a86d7225e2c3972263)
** Tags added: in-stable-pike
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1501206
Title:
router:dhcp ports are open resolvers
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1501206/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
