firewall blocking policy is hard coded to DROP

Bug #1013893 reported by Chris Jones on 2012-06-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Michael Still

Bug Description

nova/virt/ IptablesFirewallDriver is hard coded to DROP packets for connections that have not been authorized.
It would be interesting/useful to be able to configure the behaviour in this area (e.g. some installations might choose REJECT to make it more obvious to users what is happening, or even add a LOG as well)

Thierry Carrez (ttx) wrote :

I /think/ Quantum gives you more flexibility in that area...

Changed in nova:
importance: Undecided → Wishlist
status: New → Confirmed
James Troup (elmo) on 2012-06-18
tags: added: canonistack
Michael Still (mikal) wrote :

This should be pretty easy to do. I'm going to grab this and I'll have a go when havana opens up.

Changed in nova:
assignee: nobody → Michael Still (mikalstill)
Michael Still (mikal) on 2013-03-15
Changed in nova:
milestone: none → havana-1

Fix proposed to branch: master

Changed in nova:
status: Confirmed → In Progress

Submitter: Jenkins
Branch: master

commit c9e3d539222233037820b7f74301247f631cd066
Author: Michael Still <email address hidden>
Date: Sun Mar 17 01:36:42 2013 +1100

    Make iptables drop action configurable.

    Resolves bug 1013893 by allowing the setting of the iptables drop
    action with a configuration flag. It is expected that this would be
    used for run a LOGDROP action before actually dropping the packet.

    DocImpact: the drop action for iptables rules can now be configured
    for nova-network users with the iptables_drop_action flag.

    Change-Id: I15720d2742955611929a4d7181a269795296e025

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-05-29
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in nova:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers