yahoo-eng-team team mailing list archive

[Kevin Benton <1444397@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

The hash type used by the ipsets is 'ip' which explodes a CIDR into
every member address (i.e. 10.100.0.0/16 becomes 65k entries). The
allowed address pairs extension allows CIDRs so a single allowed address
pair set can exhaust the entire IPset and break the security group rules
for a tenant.

** Affects: neutron
     Importance: Undecided
     Assignee: Kevin Benton (kevinbenton)
         Status: In Progress


** Tags: kilo-rc-potential

** Changed in: neutron
     Assignee: (unassigned) => Kevin Benton (kevinbenton)

** Tags added: kilo-rc-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1444397

Title:
  single allowed address pair rule can exhaust entire ipset space

Status in OpenStack Neutron (virtual network service):
  In Progress

Bug description:
  The hash type used by the ipsets is 'ip' which explodes a CIDR into
  every member address (i.e. 10.100.0.0/16 becomes 65k entries). The
  allowed address pairs extension allows CIDRs so a single allowed
  address pair set can exhaust the entire IPset and break the security
  group rules for a tenant.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1444397/+subscriptions