9274c590a7
As part of Spoofing filter chain Neutron drops all the outbound traffic where MAC/IP does not match the IP address assigned to the VM ports (inc' allowed_address_pairs). Along with this, we also drop traffic associated to dhcp[v6] server (i.e., do not allow a VM to run dhcp[v6] server). Currently we do not have any rules to drop Router Advts from VM ports. This can create issues in the network as other devices in the network may not have any protection for this kind of stuff. Even if we allow RAs from the VM ports, because of the Anti-Spoofing rules that are applied, a VM cannot act as a IPv6 router (i.e., it cannot forward IPv6 traffic). So there is no point in allowing Router Advts from VMs assuming that it would be useful in Service VM use-cases. In order to properly implement IPv6 router as a Service VM, one needs to use the port_security_extension [1] which allows us to disable security group rules/anti-spoofing filters on the VM ports. [1]https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst This patch disables Router Advts from VM ports. Closes-Bug: #1372882 Change-Id: I8db5d6dbe60bf04f4e3754a886c6aa8a97a16bab
38 lines
1.8 KiB
Python
38 lines
1.8 KiB
Python
# Copyright 2014 OpenStack Foundation
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""iptables comments"""
|
|
|
|
# Do not translate these comments. These comments cannot contain a quote or
|
|
# an escape character because they will end up in a call to iptables and
|
|
# could interfere with other parameters.
|
|
|
|
SNAT_OUT = 'Perform source NAT on outgoing traffic.'
|
|
UNMATCH_DROP = 'Default drop rule for unmatched traffic.'
|
|
VM_INT_SG = 'Direct traffic from the VM interface to the security group chain.'
|
|
SG_TO_VM_SG = 'Jump to the VM specific chain.'
|
|
INPUT_TO_SG = 'Direct incoming traffic from VM to the security group chain.'
|
|
PAIR_ALLOW = 'Allow traffic from defined IP/MAC pairs.'
|
|
PAIR_DROP = 'Drop traffic without an IP/MAC allow rule.'
|
|
DHCP_CLIENT = 'Allow DHCP client traffic.'
|
|
DHCP_SPOOF = 'Prevent DHCP Spoofing by VM.'
|
|
UNMATCHED = 'Send unmatched traffic to the fallback chain.'
|
|
INVALID_DROP = ("Drop packets that appear related to an existing connection "
|
|
"(e.g. TCP ACK/FIN) but do not have an entry in conntrack.")
|
|
ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN '
|
|
'chain.')
|
|
PORT_SEC_ACCEPT = 'Accept all packets when port security is disabled.'
|
|
IPV6_RA_DROP = 'Drop IPv6 Router Advts from VM Instance.'
|
|
IPV6_ICMP_ALLOW = 'Allow IPv6 ICMP traffic.'
|