Merge "Allow operator to disable usage of random-fully"

author: Zuul <zuul@review.opendev.org> 2022-08-26 08:42:03 +0000
committer: Gerrit Code Review <review@openstack.org> 2022-08-26 08:42:03 +0000
commit: 76b6388d4b78b7e40939cf65f7e8a8fb7a14b089 (patch)
tree: 4e5a43612ac1d5390fcabb46a218330161b957e0 /releasenotes
parent: d4790238cd6af16fbaabc035097de3d061f6ad62 (diff)
parent: bbefe5285e7ab799422fab81488f57c9c22769b6 (diff)
download: neutron-76b6388d4b78b7e40939cf65f7e8a8fb7a14b089.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml b/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml
new file mode 100644
index 0000000000..76fb36590c
--- /dev/null
+++ b/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Add ``use_random_fully`` setting to allow an operator to disable
+    the iptables random-fully property on an iptable rules.
+issues:
+  - |
+    If the ``use_random_fully`` setting is disabled, it will prevent
+    random fully from being used and if there're 2 guests in different
+    networks using the same source_ip and source_port and they try to
+    reach the same dest_ip and dest_port, packets might be dropped in
+    the kernel do to the racy tuple generation .   Disabling this
+    setting should only be done if source_port is really important such
+    as in network firewall ACLs and that the source_ip are never repeating
+    within the platform.
author	Zuul <zuul@review.opendev.org>	2022-08-26 08:42:03 +0000
committer	Gerrit Code Review <review@openstack.org>	2022-08-26 08:42:03 +0000
commit	76b6388d4b78b7e40939cf65f7e8a8fb7a14b089 (patch)
tree	4e5a43612ac1d5390fcabb46a218330161b957e0 /releasenotes
parent	d4790238cd6af16fbaabc035097de3d061f6ad62 (diff)
parent	bbefe5285e7ab799422fab81488f57c9c22769b6 (diff)
download	neutron-76b6388d4b78b7e40939cf65f7e8a8fb7a14b089.tar.gz