OpenStack Compute (nova)

dhcp isolation via iptables does not work

Bug #1318104 reported by Vish Ishaya on 2014-05-10

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Vish Ishaya	OpenStack Compute (nova) 2014.2 "juno"
	Icehouse	Fix Released	Medium	Matt Riedemann	OpenStack Compute (nova) 2014.1.5

Bug Description

Attempting to block iptables across the bridge via iptables rules is not working. The iptables rules are never hit. blocking dhcp traffic from exiting the node will need to use ebtables instead.

Revision history for this message

Vish Ishaya (vishvananda) wrote on 2014-05-10:

https://review.openstack.org/#/c/93163/

Changed in nova:
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Vish Ishaya (vishvananda)
tags:	added: icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-26: Fix merged to nova (master)

Reviewed: https://review.openstack.org/93163
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1236b09076cca3b4b16538b055e52edde5a4feea
Submitter: Jenkins
Branch: master

commit 1236b09076cca3b4b16538b055e52edde5a4feea
Author: Vishvananda Ishaya <email address hidden>
Date: Fri May 9 18:03:48 2014 -0700

Use ebtables to isolate dhcp traffic

    Iptables doesn't properly block the broadcast traffic crossing
    the bridge, so use ebtables instead. Removes test which is no
    longer valid since we are not using iptables anymore.

Change-Id: I43e5f1fe9512dd3ec9595c7203bc46837cef3cad
Closes-Bug: #1318104

Changed in nova:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-23

Changed in nova:
milestone:	none → juno-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-2 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-11: Fix proposed to nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/190701

Alan Pevec (apevec) on 2015-06-11

tags:

removed: icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-11:

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/190826

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-11: Change abandoned on nova (stable/icehouse)

Change abandoned by Matt Riedemann (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/190701
Reason: Here is the proper cherry pick:

https://review.openstack.org/#/c/190826/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-16: Fix merged to nova (stable/icehouse)

Reviewed: https://review.openstack.org/190826
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=74295ed4d0295687919f00b2085893b57a4310f0
Submitter: Jenkins
Branch: stable/icehouse

commit 74295ed4d0295687919f00b2085893b57a4310f0
Author: Vishvananda Ishaya <email address hidden>
Date: Fri May 9 18:03:48 2014 -0700

Use ebtables to isolate dhcp traffic

    Iptables doesn't properly block the broadcast traffic crossing
    the bridge, so use ebtables instead. Removes test which is no
    longer valid since we are not using iptables anymore.

Conflicts:
nova/tests/network/test_linux_net.py

    Change-Id: I43e5f1fe9512dd3ec9595c7203bc46837cef3cad
    Closes-Bug: #1318104
    (cherry picked from commit 1236b09076cca3b4b16538b055e52edde5a4feea)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1415592

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.