diff options
author | Bernhard M. Wiedemann <bwiedemann@suse.de> | 2013-09-06 09:47:49 +0200 |
---|---|---|
committer | Kevin Bringard <kevinbri@cisco.com> | 2014-08-05 07:56:31 -0600 |
commit | 3dc8676ab6f216af5d22ac1df1a4b34bccb1c27e (patch) | |
tree | 3b2307bd1140b6a5abbb8691435184a5ce876dc8 | |
parent | 0e4dd1bfc4d910a7ccf7e100d4c1a30663dc06b7 (diff) | |
download | nova-3dc8676ab6f216af5d22ac1df1a4b34bccb1c27e.tar.gz |
Always filter out multicast from reflection
Instances will try IPv6 neighbour discovery via multicast
even in an IPv4-only cloud and can throw errors
if they see inbound packets from their own MAC address
Closes-bug: #1229625
Change-Id: I3539e788fe07519d87ce7c3800c5d38b7bd99d3b
(cherry picked from commit 9c044d2c94812e18cf84927fbf719cd073fe6c4f)
-rw-r--r-- | nova/virt/libvirt/firewall.py | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py index 1cbba788a8..acfc706c38 100644 --- a/nova/virt/libvirt/firewall.py +++ b/nova/virt/libvirt/firewall.py @@ -219,9 +219,8 @@ class NWFilterFirewall(base_firewall.FirewallDriver): filter_set = ['no-mac-spoofing', 'no-ip-spoofing', 'no-arp-spoofing'] - if CONF.use_ipv6: - self._define_filter(self.nova_no_nd_reflection_filter) - filter_set.append('nova-no-nd-reflection') + self._define_filter(self.nova_no_nd_reflection_filter) + filter_set.append('nova-no-nd-reflection') self._define_filter(self._filter_container('nova-nodhcp', filter_set)) filter_set.append('allow-dhcp-server') self._define_filter(self._filter_container('nova-base', filter_set)) |