Running a firewall instance between 2 tenant networks

asked 2018-05-19 17:19:56 -0500

It appears due to security constraints that this use case has been disabled nearly completely. If I want to run a firewall/router between 2 tenant networks and provide DHCP to the second tenant network through the firewall the current security setup completely prevents running a dhcp server in an instance.

Would the openstack community consider a patch that makes these security rules configurable per network/subnet? I understand wanting to disallow DHCP servers that might be connected to a shared/provider network. However, if a user wants to run a DHCP server attached to a non-shared tenant network, what is the harm that I'm not thinking about?

Currently I've implemented a subclass of OVSHybridIptablesFirewallDriver that excludes the dhcp server restrictions for all ports. I would like to make these rules driven by configuration, maybe just if the network is a shared network include the restrictions, if not, exclude them.

Thoughts?

edit retag flag offensive close merge delete