neutron

  1. Bug #1501206
  2. Comment #31

Comment 31 for bug 1501206

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.openstack.org/633210
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f599c15e33f72d44a18f10cd71a0fc9b13b35080
Submitter: Zuul
Branch: stable/queens

commit f599c15e33f72d44a18f10cd71a0fc9b13b35080
Author: Jens Harbott <email address hidden>
Date: Mon Oct 29 17:08:33 2018 +0000

    Secure dnsmasq process against external abuse

    Currently any dhcp agent instance will work as an open resolver. For
    deployments using publicly routed addresses for tenant networks, this
    allows the agent being abused in dDoS attacks, see [1].

    By setting the `--local-service` option dnsmasq will filter DNS queries
    and reply only to queries from directly attached networks.

    [1] https://bugs.launchpad.net/neutron/+bug/1501206

    Conflicts:
        neutron/cmd/sanity_check.py

    Closes-Bug: 1501206
    Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e
    (cherry picked from commit 0fce3ca2c1641fbcfb8327a86d7225e2c3972263)