When add allowed-address-pair 0.0.0.0/0 to one port, it will
unexpectedly open all others' protocol under same security
group. IPv6 has the same problem.
The root cause is the openflow rules calculation of the
security group, it will unexpectedly allow all IP(4&6)
traffic to get through.
For openvswitch openflow firewall, this patch adds a source
mac address match for the allowed-address-pair which has
prefix lenght 0, that means all ethernet packets from this
mac will be accepted. It exactly will meet the request of
accepting any IP address from the configured VM.
Test result shows that the remote security group and
allowed address pair works:
1. Port has 0.0.0.0/0 allowed-address-pair clould send any
IP (src) packet out.
2. Port has x.x.x.x/y allowed-address-pair could be accepted
for those VMs under same security group.
3. Ports under same network can reach each other (remote
security group).
4. Protocol port number could be accessed only when there
has related rule.
Reviewed: https:/ /review. opendev. org/744137 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=bd6203b2c7e 1e4af63813b307b c4ec1b49516bd5
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit bd6203b2c7e1e4a f63813b307bc4ec 1b49516bd5
Author: LIU Yulong <email address hidden>
Date: Fri Mar 13 18:18:04 2020 +0800
[Security] fix allowed- address- pair 0.0.0.0/0 issue
When add allowed- address- pair 0.0.0.0/0 to one port, it will
unexpectedly open all others' protocol under same security
group. IPv6 has the same problem.
The root cause is the openflow rules calculation of the
security group, it will unexpectedly allow all IP(4&6)
traffic to get through.
For openvswitch openflow firewall, this patch adds a source address- pair which has
mac address match for the allowed-
prefix lenght 0, that means all ethernet packets from this
mac will be accepted. It exactly will meet the request of
accepting any IP address from the configured VM.
Test result shows that the remote security group and address- pair clould send any address- pair could be accepted
allowed address pair works:
1. Port has 0.0.0.0/0 allowed-
IP (src) packet out.
2. Port has x.x.x.x/y allowed-
for those VMs under same security group.
3. Ports under same network can reach each other (remote
security group).
4. Protocol port number could be accessed only when there
has related rule.
Conflicts:
neutron/ tests/unit/ agent/linux/ openvswitch_ firewall/ test_rules. py
Closes-bug: #1867119 17cc117b65faaa1 60b41013dde 10b39af50e95178 85a182f47c)
Change-Id: I2e3aa7c400d7bb
(cherry picked from commit 00298fe6e84cd76