neutron

  1. Bug #1460177
  2. Comment #28

Comment 28 for bug 1460177

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/718729
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a818c41c25c33a3491254c74f33b7d273fb16f1b
Submitter: Zuul
Branch: master

commit a818c41c25c33a3491254c74f33b7d273fb16f1b
Author: Bence Romsics <email address hidden>
Date: Thu Apr 9 16:49:00 2020 +0200

    metadata-ipv6: Accept link local address in X-Forwarded-For

    In the spec we said:
    """
    When the metadata proxy processes a request, it gathers the L2 addresses
    of a VM, and the source interface, and passes it to the metadata service.

    The Metadata service, instead of using the VM IP, uses the "VM MAC" and
    "Gateway MAC" to identify the instance.
    """

    But since we switched from the home-grown metadata-ns-proxy to haproxy
    we no longer control some of the headers included, like X-Forwarded-For.
    haproxy allows us to turn X-Forwarded-For on or off, but it cannot
    give us an X-Forwarded-For-MAC header.

    Instead it seems we have to rely on the source address being the IPv6
    link local address generated from the NIC's MAC address as specified
    in RFC 4291:
    https://tools.ietf.org/html/rfc4291#section-2.5.6
    https://tools.ietf.org/html/rfc4291#appendix-A

    Note that means you cannot use IPv6 Privacy Extensions:
    https://tools.ietf.org/html/rfc4941

    Change-Id: Ife592fcfc69e26f61ec1f45c06821cb025cc7cf2
    Closes-Bug: #1460177