On Mon, Jan 7, 2019 at 9:11 AM Clark Boylan <cboylan@sapwetik.org> wrote:
On Mon, Jan 7, 2019, at 8:48 AM, Julia Kreger wrote:
[trim]
Doing so, allows us to raise this behavior change to operators minimizing the need of them having to troubleshoot it in production, and gives them a choice in the direction that they wish to take.
https://home.regit.org/netfilter-en/secure-use-of-helpers/ seems to cover this. Basically you should explicitly enable specific helpers when you need them rather than relying on the auto helper rules.
Maybe even avoid the configuration option entirely if ironic and neutron can set the required helper for tftp when tftp is used?
Great link Clark, thanks! It could be viable to ask operators to explicitly set their security groups for tftp to be passed. I guess we actually have multiple cases where there are issues and the only non-impacted case is when the ironic conductor host is directly attached to the flat network the machine is booting from. In the case of a flat network, it doesn't seem viable for us to change rules ad-hoc since we would need to be able to signal that the helper is needed, but it does seem viable to say "make sure connectivity works x way". Where as with multitenant networking, we use dedicated networks, so conceivably it is just a static security group setting that an operator can keep in place. Explicit static rules like that seem less secure to me without conntrack helpers. :( Does anyone in Neutron land have any thoughts?
[trim]
[more trimming]