libvirt: Ignore 'allow_same_net_traffic' for port filters

As described in Idcfdaf3b163ba852c9a2c45d5e0c6c35e643c7f5, the libvirt
driver provides port filtering capability.

At present, setting the 'allow_same_net_traffic' config option to True
allows for same network traffic when using these port filters. This is
the default case and is the only case currently tested. While there may
be reasons to prevent same net traffic, it is a minority use case that
can be achieved in other ways, such as through use of neutron's native
port filtering [1] or security groups.

Remove this functionality, referring users to the alternatives. This
simplifies the relevant code and ensures 'allow_same_net_traffic' is
once again a nova-network only option and therefore deprecable.

[1] https://blueprints.launchpad.net/neutron/+spec/ml2-ovs-portsecurity

Change-Id: I67556f1fc0b62b3db64af6fc09c945af313d8ddb
Implements: blueprint centralize-config-options-pike
This commit is contained in:
Stephen Finucane 2017-02-08 12:12:11 +00:00
parent 0b550db05f
commit b693730102
3 changed files with 36 additions and 14 deletions

View File

@ -406,8 +406,7 @@ class LibvirtVifTestCase(test.NoDBTestCase):
def setUp(self):
super(LibvirtVifTestCase, self).setUp()
self.useFixture(fakelibvirt.FakeLibvirtFixture(stub_os_vif=False))
self.flags(allow_same_net_traffic=True,
firewall_driver=None)
self.flags(firewall_driver=None)
# os_vif.initialize is typically done in nova-compute startup
os_vif.initialize()
self.setup_os_vif_objects()

View File

@ -156,24 +156,21 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
if dhcp_server:
parameters.append(format_parameter('DHCPSERVER', dhcp_server))
ipv4_cidr = subnet['cidr']
net, mask = netutils.get_net_and_mask(ipv4_cidr)
parameters.append(format_parameter('PROJNET', net))
parameters.append(format_parameter('PROJMASK', mask))
for subnet in v6_subnets:
gateway = subnet.get('gateway')
if gateway:
ra_server = gateway['address'] + "/128"
parameters.append(format_parameter('RASERVER', ra_server))
if CONF.allow_same_net_traffic:
for subnet in v4_subnets:
ipv4_cidr = subnet['cidr']
net, mask = netutils.get_net_and_mask(ipv4_cidr)
parameters.append(format_parameter('PROJNET', net))
parameters.append(format_parameter('PROJMASK', mask))
for subnet in v6_subnets:
ipv6_cidr = subnet['cidr']
net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr)
parameters.append(format_parameter('PROJNET6', net))
parameters.append(format_parameter('PROJMASK6', prefix))
ipv6_cidr = subnet['cidr']
net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr)
parameters.append(format_parameter('PROJNET6', net))
parameters.append(format_parameter('PROJMASK6', prefix))
return parameters

View File

@ -0,0 +1,26 @@
---
upgrade:
- |
The libvirt driver provides port filtering capability. This capability is
enabled when the following is true:
- The `nova.virt.libvirt.firewall.IptablesFirewallDriver` firewall driver
is enabled
- Security groups are disabled
- Neutron port filtering is disabled
- An IPTables-compatible interface is used, e.g. hybrid mode, where the
VIF is a tap device
When enabled, libvirt applies IPTables rules that provide MAC, IP, and
ARP spoofing protection.
Previously, setting the `allow_same_net_traffic` config option to `True`
allowed for same network traffic when using these port filters. This was
the default case and was the only case tested. Setting this to `False`
disabled same network traffic *when using the libvirt driver port filtering
functionality only*, however, this was neither tested nor documented.
Given that there are other better documented and better tested ways to
approach this, such as through use of neutron's native port filtering or
security groups, this functionality has been removed. Users should instead
rely on one of these alternatives.