e5080c7330
The libvirt driver provides port filtering capability. This capability is enabled when the following is true: - The IPTables firewall driver is enabled - Security groups are disabled - Neutron port filtering is disabled - An IPTables-compatible interface is used, e.g. hybrid mode, where the VIF is a tap device When enabled, libvirt applies IPTables rules that provide MAC, IP, and ARP spoofing protection. At present, setting the 'use_ipv6' config option to False prevents the generation of IPv6 rules even when there are IPv6 subnets available. This is fine when using nova-network, where the same config option is used to control generation of these subnets. However, a mismatch between this nova option and equivalent IPv6 options in neutron would result in IPv6 packets being dropped. Seeing as there is no apparent reason for not allowing IPv6 traffic when the network is IPv6-capable, we can ignore this option. Instead, we use the availability of IPv6-capable subnets as an indicator that IPv6 rules should be added. This paves the way for deprecating the 'use_ipv6' option, which is now only used for two deprecated features: nova-network and file injection. Change-Id: Idcfdaf3b163ba852c9a2c45d5e0c6c35e643c7f5 Implements: blueprint centralize-config-options-pike
31 lines
1.3 KiB
YAML
31 lines
1.3 KiB
YAML
---
|
|
upgrade:
|
|
- |
|
|
The libvirt driver port filtering feature will now ignore the ``use_ipv6``
|
|
config option.
|
|
|
|
The libvirt driver provides port filtering capability. This capability
|
|
is enabled when the following is true:
|
|
|
|
- The ``nova.virt.libvirt.firewall.IptablesFirewallDriver`` firewall driver
|
|
is enabled
|
|
- Security groups are disabled
|
|
- Neutron port filtering is disabled/unsupported
|
|
- An IPTables-compatible interface is used, e.g. an OVS VIF in hybrid mode,
|
|
where the VIF is a tap device connected to OVS with a bridge
|
|
|
|
When enabled, libvirt applies IPTables rules to all interface ports that
|
|
provide MAC, IP, and ARP spoofing protection.
|
|
|
|
Previously, setting the ``use_ipv6`` config option to ``False`` prevented
|
|
the generation of IPv6 rules even when there were IPv6 subnets available.
|
|
This was fine when using nova-network, where the same config option was
|
|
used to control generation of these subnets. However, a mismatch between
|
|
this nova option and equivalent IPv6 options in neutron would have resulted
|
|
in IPv6 packets being dropped.
|
|
|
|
Seeing as there was no apparent reason for not allowing IPv6 traffic when
|
|
the network is IPv6-capable, we now ignore this option. Instead, we use the
|
|
availability of IPv6-capable subnets as an indicator that IPv6 rules should
|
|
be added.
|