firewall blocking policy is hard coded to DROP

Bug #1013893 reported by Chris Jones
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Wishlist
Michael Still

Bug Description

nova/virt/firewall.py: IptablesFirewallDriver is hard coded to DROP packets for connections that have not been authorized.
It would be interesting/useful to be able to configure the behaviour in this area (e.g. some installations might choose REJECT to make it more obvious to users what is happening, or even add a LOG as well)

Tags: canonistack
Revision history for this message
Thierry Carrez (ttx) wrote :

I /think/ Quantum gives you more flexibility in that area...

Changed in nova:
importance: Undecided → Wishlist
status: New → Confirmed
James Troup (elmo)
tags: added: canonistack
Revision history for this message
Michael Still (mikal) wrote :

This should be pretty easy to do. I'm going to grab this and I'll have a go when havana opens up.

Changed in nova:
assignee: nobody → Michael Still (mikalstill)
Michael Still (mikal)
Changed in nova:
milestone: none → havana-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/25208

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/25208
Committed: http://github.com/openstack/nova/commit/c9e3d539222233037820b7f74301247f631cd066
Submitter: Jenkins
Branch: master

commit c9e3d539222233037820b7f74301247f631cd066
Author: Michael Still <email address hidden>
Date: Sun Mar 17 01:36:42 2013 +1100

    Make iptables drop action configurable.

    Resolves bug 1013893 by allowing the setting of the iptables drop
    action with a configuration flag. It is expected that this would be
    used for run a LOGDROP action before actually dropping the packet.

    DocImpact: the drop action for iptables rules can now be configured
    for nova-network users with the iptables_drop_action flag.

    Change-Id: I15720d2742955611929a4d7181a269795296e025

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.