yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89190
[Bug 1979816] [NEW] [RFE] Firewall Group Ordering on Port Association
Public bug reported:
As detailed in https://bugs.launchpad.net/neutron/+bug/1978497
According to the fwaas-api-2.0 specification here:
https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-
api-2.0.html
> packets will be allowed if any one of the firewall groups
> associated with that Neutron port allows the packet
This is not actually the case. If I am explicitly blocking a packet in
group 1, but it would be passed by a broader statement in group 2, and
the order of those groups flips, I am now passing that packet.
Therefore, firewall groups must be ordered on port associations such
that the groups are evaluated in a consistent, predictable manner.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: fwaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1979816
Title:
[RFE] Firewall Group Ordering on Port Association
Status in neutron:
New
Bug description:
As detailed in https://bugs.launchpad.net/neutron/+bug/1978497
According to the fwaas-api-2.0 specification here:
https://specs.openstack.org/openstack/neutron-
specs/specs/newton/fwaas-api-2.0.html
> packets will be allowed if any one of the firewall groups
> associated with that Neutron port allows the packet
This is not actually the case. If I am explicitly blocking a packet in
group 1, but it would be passed by a broader statement in group 2, and
the order of those groups flips, I am now passing that packet.
Therefore, firewall groups must be ordered on port associations such
that the groups are evaluated in a consistent, predictable manner.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1979816/+subscriptions
