1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
---
upgrade:
- |
The libvirt driver port filtering feature will now ignore the
``allow_same_net_traffic`` config option.
The libvirt driver provides port filtering capability. This capability
is enabled when the following is true:
- The ``nova.virt.libvirt.firewall.IptablesFirewallDriver`` firewall driver
is enabled
- Security groups are disabled
- Neutron port filtering is disabled/unsupported
- An IPTables-compatible interface is used, e.g. an OVS VIF in hybrid mode,
where the VIF is a tap device connected to OVS with a bridge
When enabled, libvirt applies IPTables rules to all interface ports that
provide MAC, IP, and ARP spoofing protection.
Previously, setting the `allow_same_net_traffic` config option to `True`
allowed for same network traffic when using these port filters. This was
the default case and was the only case tested. Setting this to `False`
disabled same network traffic *when using the libvirt driver port filtering
functionality only*, however, this was neither tested nor documented.
Given that there are other better documented and better tested ways to
approach this, such as through use of neutron's native port filtering or
security groups, this functionality has been removed. Users should instead
rely on one of these alternatives.
|
