OpenStack Compute (Nova)

firewall blocking policy is hard coded to DROP

Reported by Chris Jones on 2012-06-15

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

OpenStack Compute (nova)

Fix Released

Wishlist

Michael Still

OpenStack Compute (nova) havana-1 "h1"

You need to log in to change this bug's status.

Affecting:	OpenStack Compute (nova)
Filed here by:	Chris Jones
When:	2012-06-15
Confirmed:	2012-06-18
Assigned:	2013-03-11
Started work:	2013-03-23
Completed:	2013-05-29

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance	Milestone
	Wishlist	OpenStack Compute (nova) havana-1

Assigned to

	Me
	Michael Still (mikalstill)

Comment on this change (optional)

E-mail me about changes to this bug report

(?)

Bug Description

nova/virt/firewall.py: IptablesFirewallDriver is hard coded to DROP packets for connections that have not been authorized.
It would be interesting/useful to be able to configure the behaviour in this area (e.g. some installations might choose REJECT to make it more obvious to users what is happening, or even add a LOG as well)

Tags: Edit Tag help

Thierry Carrez (ttx) wrote on 2012-06-18:

I /think/ Quantum gives you more flexibility in that area...

Changed in nova:
importance:	Undecided → Wishlist
status:	New → Confirmed

James Troup (elmo) on 2012-06-18

tags:

added: canonistack

Michael Still (mikalstill) wrote on 2013-03-11:

This should be pretty easy to do. I'm going to grab this and I'll have a go when havana opens up.

Changed in nova:
assignee:	nobody → Michael Still (mikalstill)

Michael Still (mikalstill) on 2013-03-15

Changed in nova:
milestone:	none → havana-1

OpenStack Infra (hudson-openstack) wrote on 2013-03-23: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/25208

Changed in nova:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) wrote on 2013-03-28: Fix merged to nova (master)

Reviewed: https://review.openstack.org/25208
Committed: http://github.com/openstack/nova/commit/c9e3d539222233037820b7f74301247f631cd066
Submitter: Jenkins
Branch: master

commit c9e3d539222233037820b7f74301247f631cd066
Author: Michael Still <email address hidden>
Date: Sun Mar 17 01:36:42 2013 +1100

Make iptables drop action configurable.

    Resolves bug 1013893 by allowing the setting of the iptables drop
    action with a configuration flag. It is expected that this would be
    used for run a LOGDROP action before actually dropping the packet.

DocImpact: the drop action for iptables rules can now be configured
for nova-network users with the iptables_drop_action flag.

Change-Id: I15720d2742955611929a4d7181a269795296e025

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-05-29

Changed in nova:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers