Public bug reported:
According to [1], providing routes for neighbor ipv4 subnets will cause VMs with addresses from different subnets talk to each other directly,bypassing default router. The traffic will not enter the virtual router. The neutron-fWaas project apply firewall rules in the virtual router to contol access between subnets. But now the traffic does not go through the virtual router, the firewall between subnets will not take effect. I know the neutron-fWaas is deprecated, I use it as an example to describe my confusion. If I want to use the firewall function such as neutron-fWaas, I have to remove the routes to neighbor subnets in the VM to make the traffic pass through the default router. Can we make this feature [1] configuable for flexibility? [1] https://review.opendev.org/c/openstack/neutron/+/125043 ** Affects: neutron Importance: Undecided Status: New ** Tags: dvr ovs -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1927662 Title: Firewall policy in the virtual router will not take effect when vm has routes to neighbor subnets. Status in neutron: New Bug description: According to [1], providing routes for neighbor ipv4 subnets will cause VMs with addresses from different subnets talk to each other directly,bypassing default router. The traffic will not enter the virtual router. The neutron-fWaas project apply firewall rules in the virtual router to contol access between subnets. But now the traffic does not go through the virtual router, the firewall between subnets will not take effect. I know the neutron-fWaas is deprecated, I use it as an example to describe my confusion. If I want to use the firewall function such as neutron-fWaas, I have to remove the routes to neighbor subnets in the VM to make the traffic pass through the default router. Can we make this feature [1] configuable for flexibility? [1] https://review.opendev.org/c/openstack/neutron/+/125043 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1927662/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
