yahoo-eng-team team mailing list archive

[OpenStack Infra <1611991@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/353782
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0494f212aa625a03587af3d75e823008f1198012
Submitter: Jenkins
Branch:    master

commit 0494f212aa625a03587af3d75e823008f1198012
Author: Inessa Vasilevskaya <ivasilevskaya@xxxxxxxxxxxx>
Date:   Thu Aug 11 02:21:29 2016 +0300

    ovsfw: fix troublesome port_rule_masking
    
    In several cases port masking algorithm borrowed
    from networking_ovs_dpdk didn't behave correctly.
    This caused non-restricted ports to be open due to
    wrong tp_src field value in resulting ovs rules.
    
    This was fixed by alternative port masking
    implementation.
    
    Functional and unit tests to cover the bug added as well.
    
    Co-Authored-By: Jakub Libosvar <libosvar@xxxxxxxxxx>
    Co-Authored-By: IWAMOTO Toshihiro <iwamoto@xxxxxxxxxxxxx>
    
    Closes-Bug: #1611991
    Change-Id: Idfc0e9c52e0dd08852c91c17e12edb034606a361


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1611991

Title:
  [ovs firewall] Port masking adds wrong masks in several cases.

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Seen on master devstack, ubuntu xenial.

  Steps to reproduce:

  1. Enable ovs firewall in /etc/neutron/plugins/ml2/ml2.conf

  [securitygroup]
  firewall_driver = openvswitch

  2. Create a security group with icmp, tcp to 22.

  3. Boot a VM, assign a floating ip.

  4. Check that port 23 can be accessed via tcp (telnet, nc, etc).

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1611991/+subscriptions