14 lines
621 B
YAML
14 lines
621 B
YAML
---
|
|
security:
|
|
- |
|
|
The ``net.bridge.bridge-nf-call-*`` kernel parameters were set to ``0``
|
|
in previous releases to improve performance and it was left up to neutron
|
|
to adjust these parameters when security groups are applied. This could
|
|
cause situations where bridge traffic was not sent through iptables and
|
|
this rendered security groups ineffective. This could allow unexpected
|
|
ingress and egress traffic within the cloud.
|
|
|
|
These kernel parameters are now set to ``1`` on all hosts by the
|
|
``openstack_hosts`` role, which ensures that bridge traffic is always
|
|
sent through iptables.
|