df374a6e02
This patch adds a release note for the bridge-nf-call patch from I4d5139a6016e75ebec84994ac3555600d65a3f7c. Change-Id: I1a2fd13f88f48182db866cc444d63bb0c6d2cf31
14 lines
621 B
YAML
14 lines
621 B
YAML
---
|
|
security:
|
|
- |
|
|
The ``net.bridge.bridge-nf-call-*`` kernel parameters were set to ``0``
|
|
in previous releases to improve performance and it was left up to neutron
|
|
to adjust these parameters when security groups are applied. This could
|
|
cause situations where bridge traffic was not sent through iptables and
|
|
this rendered security groups ineffective. This could allow unexpected
|
|
ingress and egress traffic within the cloud.
|
|
|
|
These kernel parameters are now set to ``1`` on all hosts by the
|
|
``openstack_hosts`` role, which ensures that bridge traffic is always
|
|
sent through iptables.
|