[RFE] Firewall Group Ordering on Port Association
Bug #1979816 reported by
Anthony
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
As detailed in https:/
According to the fwaas-api-2.0 specification here: https:/
> packets will be allowed if any one of the firewall groups
> associated with that Neutron port allows the packet
This is not actually the case. If I am explicitly blocking a packet in group 1, but it would be passed by a broader statement in group 2, and the order of those groups flips, I am now passing that packet.
Therefore, firewall groups must be ordered on port associations such that the groups are evaluated in a consistent, predictable manner.
summary: |
- RFE: Firewall Group Ordering on Port Association + [RFE] Firewall Group Ordering on Port Association |
To post a comment you must log in.
We discussed this RFE on the last Drivers meeting: /meetings. opendev. org/meetings/ neutron_ drivers/ 2022/neutron_ drivers. 2022-07- 08-14.00. log.html# l-54
https:/
The agreement was to have a spec where the current implementation's differences from the original spec (https:/ /specs. openstack. org/openstack/ neutron- specs/specs/ newton/ fwaas-api- 2.0.html ) are listed and the details for the fix can be discussed.