For now devops defines networks in random order, and depending which network will be created earlier the routing between public and management may be enabled or not cause icmp-port-unreachable may be injected before or after another network definition.
In case when pub network was created before mgmt we will have
-A FORWARD -s <pub_subnet> -i <pub_fuelbr> -j ACCEPT
<cut>
-A FORWARD -i <admin_fuelbr> -j REJECT --reject-with icmp-port-unreachable
in case when mgmt iface was created first we will have
-A FORWARD -i <admin_fuelbr> -j REJECT --reject-with icmp-port-unreachable
<cut>
-A FORWARD -s <pub_subnet> -i <pub_fuelbr> -j ACCEPT
which will lead to different behavior.
Expected behavior is to don't have access from public to management network all the time.
For now devops defines networks in random order, and depending which network will be created earlier the routing between public and management may be enabled or not cause icmp-port- unreachable may be injected before or after another network definition.
In case when pub network was created before mgmt we will have unreachable
-A FORWARD -s <pub_subnet> -i <pub_fuelbr> -j ACCEPT
<cut>
-A FORWARD -i <admin_fuelbr> -j REJECT --reject-with icmp-port-
in case when mgmt iface was created first we will have unreachable
-A FORWARD -i <admin_fuelbr> -j REJECT --reject-with icmp-port-
<cut>
-A FORWARD -s <pub_subnet> -i <pub_fuelbr> -j ACCEPT
which will lead to different behavior.
Expected behavior is to don't have access from public to management network all the time.