Reviewed: https://review.openstack.org/633210
Committed:
https://git.openstack.org/cgit/openstack/neutron/commit/?id=f599c15e33f72d44a18f10cd71a0fc9b13b35080
Submitter: Zuul
Branch: stable/queens
commit f599c15e33f72d44a18f10cd71a0fc9b13b35080
Author: Jens Harbott <j.harb...@x-ion.de>
Date: Mon Oct 29 17:08:33 2018 +0000
Secure dnsmasq process against external abuse
Currently any dhcp agent instance will work as an open resolver. For
deployments using publicly routed addresses for tenant networks, this
allows the agent being abused in dDoS attacks, see [1].
By setting the `--local-service` option dnsmasq will filter DNS queries
and reply only to queries from directly attached networks.
[1] https://bugs.launchpad.net/neutron/+bug/1501206
Conflicts:
neutron/cmd/sanity_check.py
Closes-Bug: 1501206
Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e
(cherry picked from commit 0fce3ca2c1641fbcfb8327a86d7225e2c3972263)
** Tags added: in-stable-queens
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1501206
Title:
router:dhcp ports are open resolvers
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1501206/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
