If you have SNAT disabled and don't want traffic to flow onto the
external network, why would you attach an interface to the external
network in the first place?
** Changed in: neutron
Status: In Progress => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1518296
Title:
Non snated packet should be blocked
Status in neutron:
Opinion
Bug description:
In current neutron, when running "neutron router-gateway-set" with
specified router's "enable_snat" is false, then non-SNAT'ed packets
can arrive at other tenant via external-network. The packets don't
pass through other tenant's gateway, but take extra load to external
network.
The packet should be NAT'ed when flowing on external network. Non-
SNAT'ed packets don't need to flow on external network.
Therefore, non-SNAT'ed packets should be dropped at inside of own
tenant.
I will fix as follows:
* The router is Legacy mode and enable_snat is True:
No change from current implementation.
* The router is Legacy mode and enable_snat is False:
Add new rule for dropping outbound non-SNAT'ed packets.
* The router is DVR mode and enable_snat is True:
No change from current implementation.
* The router is Legacy mode and enable_snat is False:
Don't create SNAT name space.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1518296/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
