30 lines
1.3 KiB
YAML
30 lines
1.3 KiB
YAML
---
|
|
upgrade:
|
|
- |
|
|
The libvirt driver port filtering feature will now ignore the
|
|
``allow_same_net_traffic`` config option.
|
|
|
|
The libvirt driver provides port filtering capability. This capability
|
|
is enabled when the following is true:
|
|
|
|
- The ``nova.virt.libvirt.firewall.IptablesFirewallDriver`` firewall driver
|
|
is enabled
|
|
- Security groups are disabled
|
|
- Neutron port filtering is disabled/unsupported
|
|
- An IPTables-compatible interface is used, e.g. an OVS VIF in hybrid mode,
|
|
where the VIF is a tap device connected to OVS with a bridge
|
|
|
|
When enabled, libvirt applies IPTables rules to all interface ports that
|
|
provide MAC, IP, and ARP spoofing protection.
|
|
|
|
Previously, setting the `allow_same_net_traffic` config option to `True`
|
|
allowed for same network traffic when using these port filters. This was
|
|
the default case and was the only case tested. Setting this to `False`
|
|
disabled same network traffic *when using the libvirt driver port filtering
|
|
functionality only*, however, this was neither tested nor documented.
|
|
|
|
Given that there are other better documented and better tested ways to
|
|
approach this, such as through use of neutron's native port filtering or
|
|
security groups, this functionality has been removed. Users should instead
|
|
rely on one of these alternatives.
|