Bug 1733114
Summary: | Add openflow rule whitelisting DNS port 53 for cloud provider metdata IP | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Alexander Constantinescu <aconstan> |
Component: | Networking | Assignee: | Alexander Constantinescu <aconstan> |
Status: | CLOSED WONTFIX | QA Contact: | zhaozhanqi <zzhao> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.2.0 | CC: | aos-bugs, danw, nagrawal |
Target Milestone: | --- | ||
Target Release: | 4.2.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-20 15:53:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexander Constantinescu
2019-07-25 09:01:50 UTC
Hi After discussion within the team, we've come to the conclusion to not create this ovs rule, complementing the already existing iptables rules. The iptables rules already block all tcp/udp connections to 169.254.169.254 on all ports except port 53. Complementary OVS rules are not needed and add additional technical complexity not worth the effort (OVS rules do not support negated conditions, ex: "block all ! port 53"). If there are any arguments against this, please re-open the bug and assign to me. Best regards Alexander |