yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1444397] Re: single allowed address pair rule can exhaust entire ipset space

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Tue, 21 Apr 2015 13:09:52 -0000
Reply-to: Bug 1444397 <1444397@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: neutron/kilo
   Importance: Undecided
       Status: New

** Changed in: neutron/kilo
    Milestone: None => kilo-rc2

** Changed in: neutron/kilo
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1444397

Title:
  single allowed address pair rule can exhaust entire ipset space

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in neutron kilo series:
  New

Bug description:
  The hash type used by the ipsets is 'ip' which explodes a CIDR into
  every member address (i.e. 10.100.0.0/16 becomes 65k entries). The
  allowed address pairs extension allows CIDRs so a single allowed
  address pair set can exhaust the entire IPset and break the security
  group rules for a tenant.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1444397/+subscriptions

References

[Bug 1444397] [NEW] single allowed address pair rule can exhaust entire ipset space
From: Kevin Benton, 2015-04-15