Security Group ingress filtering doesn't work if traffic is routed
Bug #659135 reported by
Soren Hansen
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
Medium
|
Soren Hansen | ||
Bug Description
Security Group ingress filtering doesn't for routed traffic. I.e. if the VM's are connected to a bridge, traffic coming into the host on an interface that isn't on the same bridge, the incoming traffic escapes filtering. This is due to a shortcoming in libvirt's nwfilter code which didn't get updated in response to a change in the linux kernel that removed support for --physdev-out filtering for non-bridged traffic.
Related branches
lp:~soren/nova/iptables-security-groups
- Vish Ishaya (community): Approve
- Eric Day (community): Approve
- Thierry Carrez (community): Needs Fixing
-
Diff: 118 lines (+32/-12)1 file modifiednova/virt/libvirt_conn.py (+32/-12)
Revision history for this message
| Soren Hansen (soren) wrote | #1 |
| Changed in nova: | |
| importance: | Undecided → Low |
| Changed in nova: | |
| status: | New → Confirmed |
| Changed in nova: | |
| assignee: | nobody → Soren Hansen (soren) |
| importance: | Low → Medium |
| status: | Confirmed → In Progress |
Revision history for this message
| Soren Hansen (soren) wrote | #2 |
| Changed in nova: | |
| status: | In Progress → Fix Committed |
| Changed in nova: | |
| milestone: | none → 2011.1 |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
https:/