[Openstack-operators] Small openstack

George Shuklin george.shuklin at gmail.com
Sat Jan 10 00:26:07 UTC 2015


On 01/09/2015 09:25 PM, Kris G. Lindgren wrote:
> Also, If you are running this configuration you should be aware of the
> following bug:
>
> https://bugs.launchpad.net/neutron/+bug/1274034
>
> And the corresponding fix: https://review.openstack.org/#/c/141130/
>
> Basically - Neutron security group rules do nothing to protect against arp
> spoofing/poisoning from vm's.  So its possible under a shared network
> configuration for a vm to arp for another vm's ip address and temporarily
> knock that vm offline.  The above commit - which is still a WIP adds
> ebtable rules to allow neutron to filter protocols other than IP (eg arp).
Thank you!

I just done playing with private networks (as external networks) and
start to tuning internet network. And I saw something strange when I was
doing a pentest from one of the instance. I'm going to check each thing
from list in the bug description.

But I thought that security groups, antispoofing and other things are
nova-driven?




More information about the OpenStack-operators mailing list