yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1534322] Re: On new port, traffic flow is allowed before security groups are programmed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1534322@xxxxxxxxxxxxxxxxxx>
Date: Sat, 16 Jan 2016 13:41:18 -0000
Reply-to: Bug 1534322 <1534322@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/268192
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=29dffc084164c29b4726dc08bb986f7961e9fa9f
Submitter: Jenkins
Branch:    master

commit 29dffc084164c29b4726dc08bb986f7961e9fa9f
Author: Kevin Benton <kevinbenton@xxxxxxxxxxxxx>
Date:   Fri Jan 15 15:22:03 2016 +0000

    Revert "Change function call order in ovs_neutron_agent."
    
    This reverts commit 9c72bac0ea37971b2d5430246295c5e8b859b4ed.
    
    Change-Id: I9b6b588b68f63f6688749d011dc8b20ef80edadc
    Closes-Bug: #1534322


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1534322

Title:
  On new port, traffic flow is allowed before security groups are
  programmed

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  --

  Description:
  During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed.

  File: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
  Funtion: process_network_ports

  Step-by-step:
  During the creation of a neutron port, the following calls are made:
  - treat_devices_added_or_updated
  - sg_agent.setup_port_filters
  - _bind_devices

  Before early November, process_network_ports called
  sg_agent.setup_port_filters before it called _bind_devices. This meant
  that security groups were programmed before traffic flow is enabled by
  _bind_devices, which sets the port-lvm mapping in br-int.

  Bug #1512636 reversed this order of operation, so that _bind_devices
  is called before sg_agent.setup_port_filters. This opens up a brief
  security hole, allowing traffic to flow for a short time before
  security groups are applied.

  Proposed solution:
  Revert bug# 1512636

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534322/+subscriptions