[ovs firewall] Port masking adds wrong masks in several cases.
Bug #1611991 reported by
Inessa Vasilevskaya
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
High
|
Inessa Vasilevskaya |
Bug Description
Seen on master devstack, ubuntu xenial.
Steps to reproduce:
1. Enable ovs firewall in /etc/neutron/
[securitygroup]
firewall_driver = openvswitch
2. Create a security group with icmp, tcp to 22.
3. Boot a VM, assign a floating ip.
4. Check that port 23 can be accessed via tcp (telnet, nc, etc).
description: | updated |
Changed in neutron: | |
assignee: | nobody → Inessa Vasilevskaya (ivasilevskaya) |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
status: | Confirmed → In Progress |
Changed in neutron: | |
assignee: | Inessa Vasilevskaya (ivasilevskaya) → IWAMOTO Toshihiro (iwamoto) |
Changed in neutron: | |
assignee: | IWAMOTO Toshihiro (iwamoto) → Inessa Vasilevskaya (ivasilevskaya) |
tags: | added: mitaka-backport-potential |
Changed in neutron: | |
assignee: | Inessa Vasilevskaya (ivasilevskaya) → Jakub Libosvar (libosvar) |
Changed in neutron: | |
assignee: | Jakub Libosvar (libosvar) → Inessa Vasilevskaya (ivasilevskaya) |
summary: |
- [ovs firewall] Port 23 is open on booted vms with only ping/ssh on 22 - allowed. + [ovs firewall] Port masking adds wrong masks in several cases. |
Changed in neutron: | |
milestone: | none → newton-rc1 |
tags: | added: newton-rc-potential |
Changed in neutron: | |
milestone: | newton-rc1 → ocata-1 |
Changed in neutron: | |
milestone: | ocata-1 → newton-rc2 |
tags: | added: newton-rc-potential |
tags: | added: ovs-fw |
tags: | removed: newton-rc-potential |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
tags: | removed: mitaka-backport-potential |
information type: | Public Security → Public |
To post a comment you must log in.
Related fix proposed to branch: master /review. openstack. org/353782
Review: https:/