SG hybrid iptables driver and FWaaS OVS driver create overlapping conntrack zones
Bug #1745642 reported by
chandan dutta chowdhury
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
chandan dutta chowdhury |
Bug Description
SG with hybrid-iptables driver uses per port conntrack zones. FWaaS port security uses per network conntrack zones based on local vlans assigned by ovs l2 agent. In case both SG iptables-hybrid driver and FWaaS port security is enabled, there is a posibility of iptables-hybrid and OVS based FWaaS driver allocating overlapping zone and creating security holes.
affects: | cinder → neutron |
Changed in neutron: | |
assignee: | nobody → chandan dutta chowdhury (chandanc) |
Changed in neutron: | |
status: | New → In Progress |
tags: | added: needs-attention |
tags: | added: neutron-proactive-backport-potential |
To post a comment you must log in.
hybrid iptables driver is common in clouds upgraded from older releases. IIRC, it prevents FWaaS v2 readiness in a number of existing deployments.