1d776bc16c
metadata service should be requested on 169.254.169.254:80 and router namespace iptables rules redirect the request to the metadata-ns-proxy on 127.0.0.1:$metadata_port. But currently the metadata-ns-proxy can be requested directly on $router-ip:$metadata_port. To avoid such behavior, this change marks packets redirection in mangle table (PREROUTING), redirects (PREROUTING) them in nat table, accepts them in filter table (INPUT) using the mark. Packets send to the metadata proxy port without mark (so directly) are dropped. The mark can be configured through the new option metadata_access_mark. Remark: redirected packets are not local packets (in general), so setting metadata proxy server host to 127.0.0.1 will disallow direct queries but so redirected queries. DocImpact Partial-Bug: #1187102 Change-Id: I6a9bb12c8bf68c6fcf4e4060f8dfe44a309a41da |
||
|---|---|---|
| .. | ||
| init.d | ||
| neutron | ||
| api-paste.ini | ||
| dhcp_agent.ini | ||
| l3_agent.ini | ||
| metadata_agent.ini | ||
| metering_agent.ini | ||
| neutron.conf | ||
| policy.json | ||
| rootwrap.conf | ||
| services.conf | ||