[ironic][neutron] nf_conntrack_helper now disabled by default

Julia Kreger juliaashleykreger at gmail.com
Mon Jan 7 17:42:23 UTC 2019

On Mon, Jan 7, 2019 at 9:11 AM Clark Boylan <cboylan at sapwetik.org> wrote:
> On Mon, Jan 7, 2019, at 8:48 AM, Julia Kreger wrote:
> >
> > Doing so, allows us to raise this behavior change to operators minimizing the
> > need of them having to troubleshoot it in production, and gives them a choice
> > in the direction that they wish to take.
> https://home.regit.org/netfilter-en/secure-use-of-helpers/ seems to cover this. Basically you should explicitly enable specific helpers when you need them rather than relying on the auto helper rules.
> Maybe even avoid the configuration option entirely if ironic and neutron can set the required helper for tftp when tftp is used?
Great link Clark, thanks!

It could be viable to ask operators to explicitly set their security
groups for tftp to be passed.

I guess we actually have multiple cases where there are issues and the
only non-impacted case is when the ironic conductor host is directly
attached to the flat network the machine is booting from. In the case
of a flat network, it doesn't seem viable for us to change rules
ad-hoc since we would need to be able to signal that the helper is
needed, but it does seem viable to say "make sure connectivity works x
way". Where as with multitenant networking, we use dedicated networks,
so conceivably it is just a static security group setting that an
operator can keep in place. Explicit static rules like that seem less
secure to me without conntrack helpers. :(

Does anyone in Neutron land have any thoughts?

> >
> > [trim]
> >
> [more trimming]

More information about the openstack-discuss mailing list