OpenStack Compute (nova)

provider firewall rules should block outbound traffic to specified hosts

Bug #796018 reported by Todd Willey on 2011-06-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned

Bug Description

Provider firewall rules are currently implemented as a in instance chains (eg. nova-compute-instance-2). This currently only matches incoming traffic due to the jump to the instance chain being matched using the destination ip of the instance (eg. nova-compute-local -d 10.0.0.3 -j nova-compute-inst-2). This works fine for filtering incoming, unsolicited traffic.

It would also be nice to block new connections to the hosts that are blacklisted via provider rules. The best way to do this might be to add rules in nova-compute-OUTPUT during calls to refresh_provider_fw_rules in the firewall driver.

Todd Willey (xtoddx) on 2011-06-11

Changed in nova:
assignee:	nobody → Todd Willey (xtoddx)
milestone:	none → diablo-3

Thierry Carrez (ttx) on 2011-06-17

Changed in nova:
importance:	Undecided → Wishlist
status:	New → Confirmed

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-07-22:

@xtoddx: are you currently working on that ? If not , maybe unassign you (and untarget diablo-3) to let someone else have a shot at it ?

Thierry Carrez (ttx) on 2011-07-22

Changed in nova:
assignee:	Todd Willey (xtoddx) → nobody
milestone:	diablo-3 → none

Sean Dague (sdague) on 2013-03-08

Changed in nova:
status:	Confirmed → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.