2015-06-09 21:51:01 |
Kevin Benton |
bug |
|
|
added bug |
2015-06-09 21:51:09 |
Kevin Benton |
neutron: assignee |
|
Kevin Benton (kevinbenton) |
|
2015-06-10 03:34:42 |
gustavo panizzo |
bug |
|
|
added subscriber gustavo panizzo |
2015-06-18 08:35:06 |
Miguel Angel Ajo |
attachment added |
|
Bug incarnation with disjoint networks and a router in the middle https://bugs.launchpad.net/neutron/+bug/1463589/+attachment/4416693/+files/sg-disjoint-networks-bug-with-router.png |
|
2015-06-18 08:37:15 |
Kevin Benton |
attachment added |
|
SG violation.png https://bugs.launchpad.net/neutron/+bug/1463589/+attachment/4416695/+files/SG%20violation.png |
|
2015-06-18 08:38:52 |
Miguel Angel Ajo |
description |
create SG1 an SG2 that only allow traffic to members of their own group
create two networks with same 10.0.0.0/24 CIDR
create port1 in SG1 on net1 with IP 10.0.0.1
create port2 in SG1 on net2 with IP 10.0.0.2
create port3 in SG2 on net1 with IP 10.0.0.2
port1 can communicate with port3 because of the allow rule for port2's IP
This violates the constraints of the configured security groups. |
create SG1 an SG2 that only allow traffic to members of their own group
create two networks with same 10.0.0.0/24 CIDR
create port1 in SG1 on net1 with IP 10.0.0.1
create port2 in SG1 on net2 with IP 10.0.0.2
create port3 in SG2 on net1 with IP 10.0.0.2
port1 can communicate with port3 because of the allow rule for port2's IP
This violates the constraints of the configured security groups.
Another incarnation of the bug happens if you:
(graphic representation: https://bugs.launchpad.net/neutron/+bug/1463589/+attachment/4416693/+files/sg-disjoint-networks-bug-with-router.png)
create SG1 and SG2, that only allow traffic to members of their own group
create two network (N1, N2) segments
create another network segment (N3)
add a router R that connects the N1 to N3
then add IPa, IPb to SG1 on N1
add IPc, IPd to SG1 on N2
then add IPc and IPd to SG2 on N3
IPa, and IPb will accept traffic from IPc and IPd (SG2) even if they should not. |
|
2015-06-18 08:39:32 |
Miguel Angel Ajo |
description |
create SG1 an SG2 that only allow traffic to members of their own group
create two networks with same 10.0.0.0/24 CIDR
create port1 in SG1 on net1 with IP 10.0.0.1
create port2 in SG1 on net2 with IP 10.0.0.2
create port3 in SG2 on net1 with IP 10.0.0.2
port1 can communicate with port3 because of the allow rule for port2's IP
This violates the constraints of the configured security groups.
Another incarnation of the bug happens if you:
(graphic representation: https://bugs.launchpad.net/neutron/+bug/1463589/+attachment/4416693/+files/sg-disjoint-networks-bug-with-router.png)
create SG1 and SG2, that only allow traffic to members of their own group
create two network (N1, N2) segments
create another network segment (N3)
add a router R that connects the N1 to N3
then add IPa, IPb to SG1 on N1
add IPc, IPd to SG1 on N2
then add IPc and IPd to SG2 on N3
IPa, and IPb will accept traffic from IPc and IPd (SG2) even if they should not. |
create SG1 an SG2 that only allow traffic to members of their own group
create two networks with same 10.0.0.0/24 CIDR
create port1 in SG1 on net1 with IP 10.0.0.1
create port2 in SG1 on net2 with IP 10.0.0.2
create port3 in SG2 on net1 with IP 10.0.0.2
port1 can communicate with port3 because of the allow rule for port2's IP
This violates the constraints of the configured security groups.
Another incarnation of the bug happens if you:
(graphic representation: https://bugs.launchpad.net/neutron/+bug/1463589/+attachment/4416693/+files/sg-disjoint-networks-bug-with-router.png)
create SG1 and SG2, that only allow traffic to members of their own group
create two network (N1, N2) segments
create another network segment (N3)
add a router R that connects the N1 to N3
then add IPa, IPb to SG1 on N1
add IPc, IPd to SG1 on N2
then add IPc and IPd to SG2 on N3
IPa, and IPb will accept traffic from ports with IPc and IPd on SG2 even if they should not. |
|
2016-08-17 23:27:36 |
Armando Migliaccio |
neutron: status |
New |
Incomplete |
|
2016-08-17 23:27:36 |
Armando Migliaccio |
neutron: assignee |
Kevin Benton (kevinbenton) |
|
|
2016-10-17 04:20:36 |
Launchpad Janitor |
neutron: status |
Incomplete |
Expired |
|