Open Stack

On Mon, Jan 7, 2019 at 9:11 AM Clark Boylan <cboylan at sapwetik.org> wrote:
>
> On Mon, Jan 7, 2019, at 8:48 AM, Julia Kreger wrote:
[trim]
> >
> > Doing so, allows us to raise this behavior change to operators minimizing the
> > need of them having to troubleshoot it in production, and gives them a choice
> > in the direction that they wish to take.
>
> https://home.regit.org/netfilter-en/secure-use-of-helpers/ seems to cover this. Basically you should explicitly enable specific helpers when you need them rather than relying on the auto helper rules.
>
> Maybe even avoid the configuration option entirely if ironic and neutron can set the required helper for tftp when tftp is used?
>
Great link Clark, thanks!

It could be viable to ask operators to explicitly set their security
groups for tftp to be passed.

I guess we actually have multiple cases where there are issues and the
only non-impacted case is when the ironic conductor host is directly
attached to the flat network the machine is booting from. In the case
of a flat network, it doesn't seem viable for us to change rules
ad-hoc since we would need to be able to signal that the helper is
needed, but it does seem viable to say "make sure connectivity works x
way". Where as with multitenant networking, we use dedicated networks,
so conceivably it is just a static security group setting that an
operator can keep in place. Explicit static rules like that seem less
secure to me without conntrack helpers. :(

Does anyone in Neutron land have any thoughts?

> >
> > [trim]
> >
>
> [more trimming]
>