yahoo-eng-team team mailing list archive

[OpenStack Infra <1745642@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/538154
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9a620f6ea51f5696310283869e68f6a1d49164d1
Submitter: Zuul
Branch:    master

commit 9a620f6ea51f5696310283869e68f6a1d49164d1
Author: Chandan Dutta Chowdhury <chandanc@xxxxxxxxxxx>
Date:   Fri Jan 26 05:23:16 2018 +0000

    This patch changes the CT zone allocation range
    
    SG with hybrid-iptables driver uses per port conntrack zones.
    FWaaS port security uses per network conntrack zones based on
    local vlans assigned by ovs l2 agent.
    
    In case both SG iptables-hybrid driver and FWaaS port security is enabled,
    there is a posibility of iptables-hybrid  and OVS based FWaaS driver
    allocating overlapping zone and creating security holes.
    
    This patch changes the zone allocation range for iptables and
    hybrid_iptables driver to  4097 - 65535. While OVS based
    port security driver can use zones based on local vlan range 1 - 4096
    
    Closes-Bug: #1745642
    Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1745642

Title:
  SG hybrid iptables driver and FWaaS OVS driver create overlapping
  conntrack zones

Status in neutron:
  Fix Released

Bug description:
  SG with hybrid-iptables driver uses per port conntrack zones. FWaaS
  port security uses per network conntrack zones based on local vlans
  assigned by ovs l2 agent. In case both SG iptables-hybrid driver and
  FWaaS port security is enabled, there is a posibility of iptables-
  hybrid and OVS based FWaaS driver allocating overlapping zone and
  creating security holes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1745642/+subscriptions