yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95961
[Bug 2058138] Re: [SRU] Neutron OVSHybridIptablesFirewallDriver and IptablesFirewallDriver don't enforce Remote address groups
** Changed in: neutron (Ubuntu Focal)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2058138
Title:
[SRU] Neutron OVSHybridIptablesFirewallDriver and
IptablesFirewallDriver don't enforce Remote address groups
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive antelope series:
New
Status in Ubuntu Cloud Archive bobcat series:
New
Status in Ubuntu Cloud Archive caracal series:
Fix Released
Status in Ubuntu Cloud Archive yoga series:
Fix Committed
Status in Ubuntu Cloud Archive zed series:
New
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Incomplete
Status in neutron package in Ubuntu:
New
Status in neutron source package in Focal:
Won't Fix
Status in neutron source package in Jammy:
New
Status in neutron source package in Noble:
Fix Released
Bug description:
[Impact]
Security Group rules using a remote address group are now supported on older
versions of Neutron, back to Yoga.
[Test Case]
Assuming neutron is configured to use the iptables firewall driver, you should
now be able to add a security group rule specifying a --remote-address-group
parameter where previously it would fail.
[Where problems could occur]
Problem would occur when adding a security group rule with --remote-
address-group paremeter.
[Others]
== ORIGINAL DESCRIPTION ==
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.
Background -
Remote address groups enable specifying rules that target many CIDRs
efficiently. In line with the remote security group support, this
should be implemented through the use of hashed ipsets in case of the
IptablesFirewallDriver.
Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.
[1] https://docs.openstack.org/python-
openstackclient/latest/cli/command-objects/address-group.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2058138/+subscriptions