Public bug reported:
the default value of "quota_firewall_rule" is "-1", and this means unlimited.
There will be potential security issue if openstack admin do not modify this
default value.
A bad tenant User can create unlimited firewall rules to "attack" network node,
in the backend, we will have a large number of iptables rules. This will make
the network node crash or very slow.
So I suggest we use another number but not "-1" here.
** Affects: neutron
Importance: Undecided
Assignee: Liping Mao (limao)
Status: New
** Changed in: neutron
Assignee: (unassigned) => Liping Mao (limao)
** Description changed:
- the default value of "quota_firewall_rule" is "-1", and this means
- unlimited. There will be potential security issue if openstack admin do
- not modify this default value. Tenant User can create unlimited firewall
- rules , in the backend, we will have many iptables rules. This may make
- the network node crash or very slow.
+ the default value of "quota_firewall_rule" is "-1", and this means unlimited.
There will be potential security issue if openstack admin do not modify this
default value.
+ A bad tenant User can create unlimited firewall rules to "attack" network
node, in the backend, we will have a large number of iptables rules. This will
make the network node crash or very slow.
So I suggest we use another number but not "-1" here.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1346372
Title:
The default value of quota_firewall_rule should not be -1
Status in OpenStack Neutron (virtual network service):
New
Bug description:
the default value of "quota_firewall_rule" is "-1", and this means unlimited.
There will be potential security issue if openstack admin do not modify this
default value.
A bad tenant User can create unlimited firewall rules to "attack" network
node, in the backend, we will have a large number of iptables rules. This will
make the network node crash or very slow.
So I suggest we use another number but not "-1" here.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1346372/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
