metadata-ipv6: Accept link local address in X-Forwarded-For
In the spec we said:
"""
When the metadata proxy processes a request, it gathers the L2 addresses
of a VM, and the source interface, and passes it to the metadata service.
The Metadata service, instead of using the VM IP, uses the "VM MAC" and
"Gateway MAC" to identify the instance.
"""
But since we switched from the home-grown metadata-ns-proxy to haproxy
we no longer control some of the headers included, like X-Forwarded-For.
haproxy allows us to turn X-Forwarded-For on or off, but it cannot
give us an X-Forwarded-For-MAC header.
Reviewed: https:/ /review. opendev. org/718729 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=a818c41c25c 33a3491254c74f3 3b7d273fb16f1b
Committed: https:/
Submitter: Zuul
Branch: master
commit a818c41c25c33a3 491254c74f33b7d 273fb16f1b
Author: Bence Romsics <email address hidden>
Date: Thu Apr 9 16:49:00 2020 +0200
metadata-ipv6: Accept link local address in X-Forwarded-For
In the spec we said:
"""
When the metadata proxy processes a request, it gathers the L2 addresses
of a VM, and the source interface, and passes it to the metadata service.
The Metadata service, instead of using the VM IP, uses the "VM MAC" and
"Gateway MAC" to identify the instance.
"""
But since we switched from the home-grown metadata-ns-proxy to haproxy
we no longer control some of the headers included, like X-Forwarded-For.
haproxy allows us to turn X-Forwarded-For on or off, but it cannot
give us an X-Forwarded-For-MAC header.
Instead it seems we have to rely on the source address being the IPv6 /tools. ietf.org/ html/rfc4291# section- 2.5.6 /tools. ietf.org/ html/rfc4291# appendix- A
link local address generated from the NIC's MAC address as specified
in RFC 4291:
https:/
https:/
Note that means you cannot use IPv6 Privacy Extensions: /tools. ietf.org/ html/rfc4941
https:/
Change-Id: Ife592fcfc69e26 f61ec1f45c06821 cb025cc7cf2
Closes-Bug: #1460177