yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32305
[Bug 1444397] Re: single allowed address pair rule can exhaust entire ipset space
** Changed in: neutron/kilo
Status: Fix Committed => Fix Released
** Tags removed: kilo-rc-potential
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1444397
Title:
single allowed address pair rule can exhaust entire ipset space
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in neutron kilo series:
Fix Released
Bug description:
The hash type used by the ipsets is 'ip' which explodes a CIDR into
every member address (i.e. 10.100.0.0/16 becomes 65k entries). The
allowed address pairs extension allows CIDRs so a single allowed
address pair set can exhaust the entire IPset and break the security
group rules for a tenant.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1444397/+subscriptions
References