Firewall policy in the virtual router will not take effect when vm has routes to neighbor subnets.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
According to [1], providing routes for neighbor ipv4 subnets will cause VMs with addresses from different subnets talk to each other directly,bypassing default router. The traffic will not enter the virtual router. The neutron-fWaas project apply firewall rules in the virtual router to contol access between subnets. But now the traffic does not go through the virtual router, the firewall between subnets will not take effect.
I know the neutron-fWaas is deprecated, I use it as an example to describe my confusion. If I want to use the firewall function such as neutron-fWaas, I have to remove the routes to neighbor subnets in the VM to make the traffic pass through the default router. Can we make this feature [1] configuable for flexibility?
tags: |
added: l3-dvr-backlog removed: dvr |