neutron

[RFE] Support allowed address pairs without ip address

Bug #1690937 reported by Trevor McCasland on 2017-05-15

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Opinion	Wishlist	Ruslan Gustomyasov

Bug Description

Allowed address pairs simply pairs IP addresses and mac addresses.

This RFE asks to allow '0.0.0.0/0' to be specified for the ip address or to make it optional, so that a user can configure ports to filter traffic with only a mac list.

Tags:

Trevor McCasland (twm2016) on 2017-05-15

tags:

added: rfe

Ihar Hrachyshka (ihar-hrachyshka) on 2017-05-18

Changed in neutron:
importance:	Undecided → Wishlist
status:	New → Triaged

Ruslan Gustomyasov (rusik) on 2017-05-21

Changed in neutron:
assignee:	nobody → Ruslan Gustomyasov (rusik)

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2017-07-13:

#1

Sorry, this RFE got triaged too quickly, we need clarification on use case here.

Also, don't we already allow 0.0.0.0/0 for ip address for pairs? For example, I see this patch: https://review.openstack.org/#/c/194741/ that correctly disables spoofing protection for 0.0.0.0/0

Let's start with a use case, and then we can figure out what you miss in the current neutron API.

Changed in neutron:
status:	Triaged → Incomplete

Revision history for this message

Ian Wells (ijw-ubuntu) wrote on 2017-07-14:

#2

0.0.0.0/0 works as far as I can tell for IP packets (though it doesn't allow non-IP packets, so there's that).

Revision history for this message

Trevor McCasland (twm2016) wrote on 2017-07-18:

#3

Ihar, we want spoofing protection without the IP and only the MAC address. So in the case of 0.0.0.0/0, all IPs are acceptable only if the MAC the IP is associated with is in the list of configured MAC addresses.

We can ammend the if statement to something like the following (where get_mac() is fake):

if any(netaddr.IPNetwork(ip).prefixlen == 0 and not get_mac(ip) for ip in addresses)
return

Use cases are for network security, I will ask for a specific scenario.

Revision history for this message

LIU Yulong (dragon889) wrote on 2020-06-02:

#4

I may say this should make it 0.0.0.0/0 work for ml2 ovs driver:
https://review.opendev.org/#/c/712632/

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2020-06-02:

#5

As was discussed on the PTG, we decided to close this RFE for now. Feel free to reopen it if there will be valid use case for that and if You will want to work on that. Then we can discuss it again in the drivers team meeting.

tags:	added: rfe-postponed removed: rfe
Changed in neutron:
status:	Incomplete → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.