[neutron][OVS firewall] Multicast non-IGMP traffic is allowed by default, not in iptables FW (LP#1889631)

Rodolfo Alonso Hernandez ralonsoh at redhat.com
Tue Aug 4 17:05:49 UTC 2020


Hello all:

First of all, the link: https://bugs.launchpad.net/neutron/+bug/1889631

To sum up the bug: in iptables FW, the non-IGMP multicast traffic from
224.0.0.x was blocked; this is not happening in OVS FW.

That was discussed today in the Neutron meeting today [1]. We face two
possible situations here:
- If we block this traffic now, some deployments using the OVS FW will
experience an unexpected network blockage.
- Deployments migrating from iptables to OVS FW, now won't be able to
explicitly allow this traffic (or block it by default). This also breaks
the current API, because some rules won't have any effect (those ones
allowing this traffic).

A possible solution is to add a new knob in the FW configuration; this
config option will allow to block or not this traffic by default. Remember
that the FW can only create permissive rules, not blocking ones.

Any feedback is welcome!

Regards.

[1]
http://eavesdrop.openstack.org/meetings/networking/2020/networking.2020-08-04-14.00.log.html#l-136
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200804/29897a3d/attachment.html>


More information about the openstack-discuss mailing list