Security Group doesn't work if the specific allowed-address-pairs value is set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Won't Fix
|
High
|
Inessa Vasilevskaya | ||
10.0.x |
Won't Fix
|
High
|
Inessa Vasilevskaya | ||
7.0.x |
Won't Fix
|
High
|
MOS Maintenance | ||
8.0.x |
Won't Fix
|
High
|
MOS Maintenance | ||
9.x |
Won't Fix
|
High
|
Ann Taraday |
Bug Description
It's a customer-found issue. The issue is reproducible on MOS 10.0 as well.
Summary:
Security Group doesn't work if the specific allowed-
High level description:
OpenStack user is allowed to specify arbitrary mac_address/
Step-by-step reproduction process:
1) Create a VM in OpenStack
2) Check that there are no rules allowing icmp (for instance) in the security group associated with the VM
3) perform:
neutron port-update [any-port-
if your VM uses a private IPv4 address from networks 192.168.x or 172.16.x, then 128.0.0.0/1 will work as "a-very-huge-cidr", if it uses 10.x network then 0.0.0.0/1 should.
4) ping all the VMs in this secgroup successfully (from router namespace, or from any host which is allowed to access floating IPs if floating IP is also assigned to the VM), as well as access it by any port and protocol which the VM is listening.
Version:
All OpenStack releases up to Mitaka.
Perceived severity:
It's not a blocker as workaround are pretty obvious, but it's a huge security bug: all the network security provided by Security Groups might be ruined easily, just by updating a single port in neutron.
If we restrict the value of allowed-
Upstream bug: https:/
Changed in mos: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
assignee: | nobody → MOS Neutron (mos-neutron) |
description: | updated |
Changed in mos: | |
assignee: | Ann Taraday (akamyshnikova) → Inessa Vasilevskaya (ivasilevskaya) |
Changed in mos: | |
status: | In Progress → Won't Fix |
I was not able to reproduce this issue on 9.0 and 10.0 (iso 687) envs. Can you please check my steps http:// paste.openstack .org/show/ 573545/ if something is missing?