SG with hybrid-iptables driver uses per port conntrack zones.
FWaaS port security uses per network conntrack zones based on
local vlans assigned by ovs l2 agent.
In case both SG iptables-hybrid driver and FWaaS port security is enabled,
there is a posibility of iptables-hybrid and OVS based FWaaS driver
allocating overlapping zone and creating security holes.
This patch changes the zone allocation range for iptables and
hybrid_iptables driver to 4097 - 65535. While OVS based
port security driver can use zones based on local vlan range 1 - 4096
Reviewed: https:/ /review. openstack. org/538154 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=9a620f6ea51 f5696310283869e 68f6a1d49164d1
Committed: https:/
Submitter: Zuul
Branch: master
commit 9a620f6ea51f569 6310283869e68f6 a1d49164d1
Author: Chandan Dutta Chowdhury <email address hidden>
Date: Fri Jan 26 05:23:16 2018 +0000
This patch changes the CT zone allocation range
SG with hybrid-iptables driver uses per port conntrack zones.
FWaaS port security uses per network conntrack zones based on
local vlans assigned by ovs l2 agent.
In case both SG iptables-hybrid driver and FWaaS port security is enabled,
there is a posibility of iptables-hybrid and OVS based FWaaS driver
allocating overlapping zone and creating security holes.
This patch changes the zone allocation range for iptables and
hybrid_iptables driver to 4097 - 65535. While OVS based
port security driver can use zones based on local vlan range 1 - 4096
Closes-Bug: #1745642 e85b4982a03410d 4a3f637ea3f
Change-Id: I4d51637ed1de8f