31 lines
1.3 KiB
YAML
31 lines
1.3 KiB
YAML
![]() |
---
|
||
|
upgrade:
|
||
|
- |
|
||
|
The libvirt driver port filtering feature will now ignore the ``use_ipv6``
|
||
|
config option.
|
||
|
|
||
|
The libvirt driver provides port filtering capability. This capability
|
||
|
is enabled when the following is true:
|
||
|
|
||
|
- The ``nova.virt.libvirt.firewall.IptablesFirewallDriver`` firewall driver
|
||
|
is enabled
|
||
|
- Security groups are disabled
|
||
|
- Neutron port filtering is disabled/unsupported
|
||
|
- An IPTables-compatible interface is used, e.g. an OVS VIF in hybrid mode,
|
||
|
where the VIF is a tap device connected to OVS with a bridge
|
||
|
|
||
|
When enabled, libvirt applies IPTables rules to all interface ports that
|
||
|
provide MAC, IP, and ARP spoofing protection.
|
||
|
|
||
|
Previously, setting the ``use_ipv6`` config option to ``False`` prevented
|
||
|
the generation of IPv6 rules even when there were IPv6 subnets available.
|
||
|
This was fine when using nova-network, where the same config option was
|
||
|
used to control generation of these subnets. However, a mismatch between
|
||
|
this nova option and equivalent IPv6 options in neutron would have resulted
|
||
|
in IPv6 packets being dropped.
|
||
|
|
||
|
Seeing as there was no apparent reason for not allowing IPv6 traffic when
|
||
|
the network is IPv6-capable, we now ignore this option. Instead, we use the
|
||
|
availability of IPv6-capable subnets as an indicator that IPv6 rules should
|
||
|
be added.
|