[openstack-dev] [neutron][nova] - removing "INVALID drop" iptables rule

Kevin Benton blak111 at gmail.com
Thu Sep 10 22:53:08 UTC 2015


Hi,

I have a patch out in which I want to make sure any allow rules are
processed before the rule that drops packets conntrack deems as INVALID.[1]
This rule interferes with setups where conntrack might not see the first
part of a TCP handshake because of encapsulation in a load balancer
direct-service-return setup.

What I would like to know is why the rule was added in the first place and
if there are any concerns with not processing it before the allow rules.
The only thing I can see that it's really stopping is SYN-ACK probing to
ports the security groups are configured to allow, in which case a SYN
probe would likely work just as well.

Any feedback here or directly on the patch would be great.

1. https://review.openstack.org/#/c/218517/


Cheers
-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150910/9e29ce07/attachment.html>


More information about the OpenStack-dev mailing list