Comment 15 for bug 1274034

Édouard Thuleau (ethuleau) wrote :

@Kevin: Thanks for your backportable patch. I still need to rebase and proposed my patch (some UT need to be coded)

@Xu Han Peng: Thanks to create that patch to prevent RA and FHS IPv6 directly to the egress traffic port.

When I writing my patch, I though it could be better to separate first hop security port (spoofing, ARP, DHCP, RA, ND...) to the security group. I think it's two different things. For example, actually, to protect DHCP spoofing, we add provider security group to the security group of a port. But that security group is not visible by the user.
To separate FHS to SG, we need to implement specific RPC calls between API servers and agents. It's a huge work.
Any thoughts ?