Comment 6 for bug 1461054
Revision history for this message
| Darragh O'Reilly (darragh-oreilly) wrote Re: Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
The use case is running a router in a VM. But the anti-spoofing will stop the router forwarding packets with source IP addresses not on the router ports or allowed address pairs. I'm using an openstack version that does not have the portsecurity extension.
A router is expected to forward IP packets from anywhere, so I tried to add all IPv4 address with a subnet with prefix length zero. The API allows subnets, so why not?
If you accept that 0.0.0.0/0 is valid for the API, then one solution would be to apply it behind the scenes as a special case using 2 ipset rules with prefix length one - 0.0.0.0/1 and 128.0.0.0/1. Otherwise we can just reject it at the API level, and users will still be able to allow all with
neutron port-update $PORT_ID --allowed_