Hello all:
To sum up the bug: in iptables FW, the non-IGMP multicast traffic from 224.0.0.x was blocked; this is not happening in OVS FW.
That was discussed today in the Neutron meeting today [1]. We face two possible situations here:
- If we block this traffic now, some deployments using the OVS FW will experience an unexpected network blockage.
- Deployments migrating from iptables to OVS FW, now won't be able to explicitly allow this traffic (or block it by default). This also breaks the current API, because some rules won't have any effect (those ones allowing this traffic).
A possible solution is to add a new knob in the FW configuration; this config option will allow to block or not this traffic by default. Remember that the FW can only create permissive rules, not blocking ones.
Any feedback is welcome!
Regards.