vif_security: {
require_securitygroup : boolean #If True, Quantum does not provide security group feature and Nova requires to provide security group feature,
prevent_spoofing :boolean # If True, Nova requires to setup IP/MAC spoofing filters (Quantum does not provide it). get_firewall_required() in libvirt/vif.py is expected to return True,
require_iptables : boolean # If True, Nova needs to make sure iptables works. If a bridge is
}
@Akihiro
I agree with you. May be this dynamic configuration may not be in G.
However we should have the function, so IMO it good to update Quantum side first.
( or may be, we should wait to add the parameter )
IMO prevent_spoofing is for both of (a) rules to allow DHCP/RA packets and (b) rules to prevent IP/MAC spoofing.
The reason is allowing only quantum's DHCP/RA server is for dhcp/RA spoofing. so IMO, both of (a) and (b) is for preventing spoofing.
Hi Akihito , Daniel
@Daniel,
We changed the paramter little bit
vif_security: { securitygroup : boolean #If True, Quantum does not provide security group feature and Nova requires to provide security group feature, required( ) in libvirt/vif.py is expected to return True,
require_
prevent_spoofing :boolean # If True, Nova requires to setup IP/MAC spoofing filters (Quantum does not provide it). get_firewall_
require_iptables : boolean # If True, Nova needs to make sure iptables works. If a bridge is
}
@Akihiro
I agree with you. May be this dynamic configuration may not be in G.
However we should have the function, so IMO it good to update Quantum side first.
( or may be, we should wait to add the parameter )
IMO prevent_spoofing is for both of (a) rules to allow DHCP/RA packets and (b) rules to prevent IP/MAC spoofing.
The reason is allowing only quantum's DHCP/RA server is for dhcp/RA spoofing. so IMO, both of (a) and (b) is for preventing spoofing.