Security Group ingress filtering doesn't work if traffic is routed

Bug #659135 reported by Soren Hansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Soren Hansen

Bug Description

Security Group ingress filtering doesn't for routed traffic. I.e. if the VM's are connected to a bridge, traffic coming into the host on an interface that isn't on the same bridge, the incoming traffic escapes filtering. This is due to a shortcoming in libvirt's nwfilter code which didn't get updated in response to a change in the linux kernel that removed support for --physdev-out filtering for non-bridged traffic.

https://bugzilla.redhat.com/show_bug.cgi?id=642171

Related branches

Revision history for this message
Soren Hansen (soren) wrote :
Rick Clark (dendrobates)
Changed in nova:
importance: Undecided → Low
Soren Hansen (soren)
Changed in nova:
status: New → Confirmed
Thierry Carrez (ttx)
Changed in nova:
assignee: nobody → Soren Hansen (soren)
importance: Low → Medium
status: Confirmed → In Progress
Revision history for this message
Soren Hansen (soren) wrote :

Fixed by providing a new iptables backend.

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → 2011.1
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.