yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2058138] Re: Neutron OVSHybridIptablesFirewallDriver and IptablesFirewallDriver don't enforce Remote address groups

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2058138@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Mar 2024 10:08:23 -0000
Reply-to: Bug 2058138 <2058138@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/913708
Committed: https://opendev.org/openstack/neutron/commit/5e1188ef38da3f196aadf82a3842fa982c9a0c83
Submitter: "Zuul (22348)"
Branch:    master

commit 5e1188ef38da3f196aadf82a3842fa982c9a0c83
Author: Robert Breker <rbreker@xxxxxxxxxxx>
Date:   Sun Mar 17 14:43:50 2024 +0000

    Enhance IptablesFirewallDriver with remote address groups
    
    This change enhances the IptablesFirewallDriver with support for remote
    address groups. Previously, this feature was only available in the
    OVSFirewallDriver. This commit harmonizes the capabilities across both
    firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.
    
    Background -
    The Neutron API allows operators to configure remote address groups [1],
    however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
    not implement these remote group restrictions. When configuring security
    group rules with remote address groups, connections get enabled
    based on other rule parameters, ignoring the configured remote address
    group restrictions.
    This behaviour undocumented, and may lead to more-open-than-configured network
    access.
    
    Closes-Bug: #2058138
    Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2058138

Title:
  Neutron OVSHybridIptablesFirewallDriver and IptablesFirewallDriver
  don't enforce Remote address groups

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  High level description -

  The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
  This behaviour undocumented, and may lead to more-open-than-configured network access.

  Background -

  Remote address groups enable specifying rules that target many CIDRs
  efficiently. In line with the remote security group support, this
  should be implemented through the use of hashed ipsets in case of the
  IptablesFirewallDriver.

  Pre-conditions -
  * Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
  * Configured remote Address Groups.

  Version -
  All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.

  [1] https://docs.openstack.org/python-
  openstackclient/latest/cli/command-objects/address-group.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2058138/+subscriptions