[Expired for neutron because there has been no activity for 60 days.]
** Changed in: neutron
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1325986
Title:
When VM do not have fixed_ip, Allowed address pair should not allow
all the IPs by default
Status in neutron:
Expired
Bug description:
If we create a VM without fixed_ip, there will be the following rule
add in spoof filter chain :
neutron/agent/linux/iptables_firewall.py
188 def _setup_spoof_filter_chain(self, port, table, mac_ip_pairs, rules):
189 if mac_ip_pairs:
190 chain_name = self._port_chain_name(port, SPOOF_FILTER)
191 table.add_chain(chain_name)
192 for mac, ip in mac_ip_pairs:
193 if ip is None:
194 # If fixed_ips is [] this rule will be added to the
end
195 # of the list after the allowed_address_pair rules.
196 table.add_rule(chain_name,
197 '-m mac --mac-source %s -j RETURN'
198 % mac)
Then we will have the following rule after allowed_address_pair rules:
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
MAC $MAC_ADDRESS
This rule will hit all the ips, but here we should not allow all the ips ...
So I think we should not add this rule.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1325986/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
