yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1444397] Re: single allowed address pair rule can exhaust entire ipset space

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1444397@xxxxxxxxxxxxxxxxxx>
Date: Sat, 14 Nov 2015 10:35:37 -0000
Reply-to: Bug 1444397 <1444397@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: neutron/juno
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1444397

Title:
  single allowed address pair rule can exhaust entire ipset space

Status in neutron:
  Fix Released
Status in neutron juno series:
  New
Status in neutron kilo series:
  Fix Released

Bug description:
  The hash type used by the ipsets is 'ip' which explodes a CIDR into
  every member address (i.e. 10.100.0.0/16 becomes 65k entries). The
  allowed address pairs extension allows CIDRs so a single allowed
  address pair set can exhaust the entire IPset and break the security
  group rules for a tenant.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1444397/+subscriptions

References

[Bug 1444397] [NEW] single allowed address pair rule can exhaust entire ipset space
From: Kevin Benton, 2015-04-15