← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1444397] Re: single allowed address pair rule can exhaust entire ipset space

 

** Also affects: neutron/kilo
   Importance: Undecided
       Status: New

** Changed in: neutron/kilo
    Milestone: None => kilo-rc2

** Changed in: neutron/kilo
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1444397

Title:
  single allowed address pair rule can exhaust entire ipset space

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in neutron kilo series:
  New

Bug description:
  The hash type used by the ipsets is 'ip' which explodes a CIDR into
  every member address (i.e. 10.100.0.0/16 becomes 65k entries). The
  allowed address pairs extension allows CIDRs so a single allowed
  address pair set can exhaust the entire IPset and break the security
  group rules for a tenant.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1444397/+subscriptions


References