Comment 10 for bug 1515799
Revision history for this message
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix merged to openstack/neutron (openstack-ci/fuel-6.1/2014.2) | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Reviewed: https:/
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-
Commit: c6452a712e2cdd7
Author: Kevin Benton <email address hidden>
Date: Thu Dec 10 14:30:46 2015
Process user iptables rules before INVALID
Process user-defined iptables rules before the INVALID DROP
rule. This is to allow scenarios where the VMs need to
legitimately receive packets that conntrack doesn't have an
entry for (e.g. SYN-ACK where the SYN wasn't sent by the VM).
A user can accomplish this by adding an allow rule that matches
the headers of these INVALID packets so they get permitted before
they hit the INVALID DROP rule.
Closes-Bug: #1515799
Cherry-pick from 58904f3626cdf09
Change-Id: Ie6ce5f3fa688f1