openstack/neutron-fwaas
Code Issues Proposed changes
Firewall services for OpenStack Neutron.
5,209 Commits 7 Branches 27 Tags 41 MiB
Python 97.6%
Shell 2.3%
Mako 0.1%
b7b0c7dbcd
Go to file
Xuhan Peng b7b0c7dbcd Permit ICMPv6 RAs only from known routers 
Currently ingress ICMPv6 RAs are permitted from any IPs by
default to allow VMs to accept ICMPv6 RA from provider network.
In this way, VM can accept RAs from attacker VM and configure
a network prefix specified by the attacher VM.

Remove permitting ICMPv6 RAs from any IPs and add security rule
to only permit ICMPv6 RA from:

1. If the port's subnet is configured with ipv6_ra_mode value
(i.e.value is slaac, dhcpv6-stateful, or dhcpv6-stateless), RA
is sending from dnsmasq controlled by OpenStack. In this case,
allow RA from the link local address of gateway port (if the
gateway port is created).

2. If the subnet's gateway port is not managed by OpenStack, allow
the ICMPv6 RA sent from the subnet gateway IP if it's a link local
address. The administrator needs to configure the gateway IP as
link local address in this case to make the RA rule work.

Change-Id: I1d5c7aaa8e4cf057204eb746c0faab2c70409a94
Closes-Bug: 1262759
2014-04-02 16:24:17 +08:00
bin Use oslo.rootwrap library instead of local copy 2014-02-07 10:58:27 +01:00
doc API layer documentation 2014-03-13 00:43:07 -04:00
etc Add enable_security_group to BigSwitch and OneConvergence ini files 2014-03-22 19:13:10 +09:00
neutron Permit ICMPv6 RAs only from known routers 2014-04-02 16:24:17 +08:00
quantum Re-assign quantum.api module as last operation 2013-07-15 22:51:28 +02:00
tools Merge "Corrects broken format strings in check_i18n.py" 2014-01-07 14:11:59 +00:00
.coveragerc fix some missing change from quantum to neutron 2013-07-08 12:11:04 +08:00
.gitignore Updates .gitignore 2013-11-28 23:18:03 +08:00
.gitreview Rename quantum to neutron in .gitreview. 2013-07-06 12:25:09 -04:00
.mailmap mailmap: update .mailmap 2014-02-10 15:48:48 +09:00
.pylintrc Rename Quantum to Neutron 2013-07-06 15:02:43 -04:00
.testr.conf Add an explicit tox job for functional tests 2014-02-05 17:11:52 +00:00
babel.cfg Use babel to generate translation file 2013-01-24 00:20:32 +08:00
HACKING.rst Cleanup HACKING.rst 2013-11-11 10:32:34 -08:00
LICENSE Adding Apache Version 2.0 license file. This is the official license agreement under which Quantum code is available to 2011-08-08 12:31:04 -07:00
MANIFEST.in Rename Quantum to Neutron 2013-07-06 15:02:43 -04:00
openstack-common.conf Merge "Remove dependent module py3kcompat" 2014-02-23 06:30:59 +00:00
README.rst Rename Quantum to Neutron 2013-07-06 15:02:43 -04:00
requirements.txt Updated from global requirements 2014-04-01 11:51:30 +00:00
run_tests.sh Merge "Don't document non-existing flag '--hide-elapsed'" 2014-02-22 04:05:04 +00:00
setup.cfg Open Juno development 2014-03-27 16:42:57 +01:00
setup.py Updated from global requirements 2013-10-01 16:13:29 +00:00
test-requirements.txt Bugfix and refactoring for ovs_lib flow methods 2014-03-14 15:23:19 +02:00
TESTING.rst Developer documentation 2014-02-26 11:03:46 -05:00
tox.ini add HEAD sentinel file that contains migration revision 2014-03-19 12:40:29 -04:00

README.rst

# -- Welcome!

You have come across a cloud computing network fabric controller. It has identified itself as "Neutron." It aims to tame your (cloud) networking!

# -- External Resources:

The homepage for Neutron is: http://launchpad.net/neutron . Use this site for asking for help, and filing bugs. Code is available on github at <http://github.com/openstack/neutron>.

The latest and most in-depth documentation on how to use Neutron is available at: <http://docs.openstack.org>. This includes:

Neutron Administrator Guide http://docs.openstack.org/trunk/openstack-network/admin/content/

Neutron API Reference: http://docs.openstack.org/api/openstack-network/2.0/content/

The start of some developer documentation is available at: http://wiki.openstack.org/NeutronDevelopment

For help using or hacking on Neutron, you can send mail to <mailto:openstack-dev@lists.openstack.org>.