This one needs to be tested:
--- a/nova/virt/libvirt/firewall.py +++ b/nova/virt/libvirt/firewall.py @@ -76,6 +76,28 @@ class NWFilterFirewall(base_firewall.FirewallDriver): </filter>'''
@staticmethod + def nova_dhcp_isolate_filter(): + """This filter will disallow all traffic toward the gateway of the guests. + """ + + return '''<filter name='nova-isolate-dhcp-server' chain='ipv4'> + <uuid>891e4787-e5c0-d59b-cda6-41bc3c6b36fc</uuid> + <rule action='allow' direction='in' + priority='100'> + <tcp dstipaddr='$DHCPSERVER' + dstportstart='8776'/> + </rule> + <rule action='drop' direction='in' + priority='100'> + <tcp dstipaddr='$DHCPSERVER' /> + </rule> + <rule action='drop' direction='in' + priority='100'> + <udp dstipaddr='$DHCPSERVER' /> + </rule> + </filter>''' + + @staticmethod def nova_dhcp_filter(): """The standard allow-dhcp-server filter is an <ip> one, so it uses ebtables to allow traffic through. Without a corresponding rule in @@ -221,6 +243,7 @@ class NWFilterFirewall(base_firewall.FirewallDriver): self._define_filter(self._filter_container('nova-vpn', ['allow-dhcp-server'])) self._define_filter(self.nova_dhcp_filter) + self._define_filter(self.nova_dhcp_isolate_filter)
self.static_filters_configured = True
This one needs to be tested:
--- a/nova/ virt/libvirt/ firewall. py virt/libvirt/ firewall. py l(base_ firewall. FirewallDriver) :
</ filter> '''
+++ b/nova/
@@ -76,6 +76,28 @@ class NWFilterFirewal
@staticmethod isolate_ filter( ): isolate- dhcp-server' chain='ipv4'> e5c0-d59b- cda6-41bc3c6b36 fc</uuid> '$DHCPSERVER' '8776'/ > '$DHCPSERVER' /> '$DHCPSERVER' />
ebtables to allow traffic through. Without a corresponding rule in l(base_ firewall. FirewallDriver) :
self. _define_ filter( self._filter_ container( 'nova-vpn' ,
['allow- dhcp-server' ]))
self. _define_ filter( self.nova_ dhcp_filter) filter( self.nova_ dhcp_isolate_ filter)
+ def nova_dhcp_
+ """This filter will disallow all traffic toward the gateway of the guests.
+ """
+
+ return '''<filter name='nova-
+ <uuid>891e4787-
+ <rule action='allow' direction='in'
+ priority='100'>
+ <tcp dstipaddr=
+ dstportstart=
+ </rule>
+ <rule action='drop' direction='in'
+ priority='100'>
+ <tcp dstipaddr=
+ </rule>
+ <rule action='drop' direction='in'
+ priority='100'>
+ <udp dstipaddr=
+ </rule>
+ </filter>'''
+
+ @staticmethod
def nova_dhcp_filter():
"""The standard allow-dhcp-server filter is an <ip> one, so it uses
@@ -221,6 +243,7 @@ class NWFilterFirewal
+ self._define_