openstack
/
neutron
Code Issues Proposed changes
neutron/neutron/agent/linux/openvswitch_firewall
History
Slawek Kaplonski 9ab5159d2d [OVS FW] Allow egress ICMPv6 only for know addresses 
Before that patch it was possible to send ICMPv6 packets like e.g.
    neutron_lib.constants.ICMPV6_TYPE_MLD_QUERY,
    neutron_lib.constants.ICMPV6_TYPE_RS,
    neutron_lib.constants.ICMPV6_TYPE_NS,
    neutron_lib.constants.ICMPV6_TYPE_NA

And that could cause some security issues as instance could advertise
that it owns IPv6 address which really don't belong to it.

Now rules in table=71 which allows that traffic are "per mac/ipaddress"
and are allowed only for fixed ips allocated to port and port's
allowed_address_pairs.

Conflicts:
    neutron/agent/linux/openvswitch_firewall/firewall.py
    neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

Closes-Bug: #1902917
Change-Id: I4749fdc6a6cabd253b971bf4010ff76f5593c59c
(cherry picked from commit 4b5bcff64c)
 		2021-02-27 20:15:42 +00:00
..
__init__.py Open vSwitch conntrack based firewall driver 2016-02-16 16:47:21 +00:00
constants.py [log] ovs fw logging implementation 2018-01-09 09:26:40 +07:00
exceptions.py ovsfw: Don't create rules if updated port doesn't exist 2018-01-05 16:28:18 +00:00
firewall.py [OVS FW] Allow egress ICMPv6 only for know addresses 2021-02-27 20:15:42 +00:00
iptables.py fullstack: Migration from iptables_hybrid to openvswitch 2018-04-26 16:44:24 +00:00
rules.py Revert "[Security] fix allowed-address-pair 0.0.0.0/0 issue" 2020-11-17 14:34:03 +00:00