single allowed address pair rule can exhaust entire ipset space
Bug #1444397 reported by
Kevin Benton
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Critical
|
Kevin Benton | ||
Juno |
Fix Released
|
Undecided
|
Unassigned | ||
Kilo |
Fix Released
|
Critical
|
Unassigned |
Bug Description
The hash type used by the ipsets is 'ip' which explodes a CIDR into every member address (i.e. 10.100.0.0/16 becomes 65k entries). The allowed address pairs extension allows CIDRs so a single allowed address pair set can exhaust the entire IPset and break the security group rules for a tenant.
Changed in neutron: | |
assignee: | nobody → Kevin Benton (kevinbenton) |
tags: | added: kilo-rc-potential |
Changed in neutron: | |
status: | New → In Progress |
Changed in neutron: | |
milestone: | none → liberty-1 |
importance: | Undecided → High |
Changed in neutron: | |
importance: | High → Critical |
tags: | removed: kilo-rc-potential |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-1 → 7.0.0 |
To post a comment you must log in.
Nice find!