When add allowed-address-pair 0.0.0.0/0 to one port, it will
unexpectedly open all others' protocol under same security
group. IPv6 has the same problem.
The root cause is the openflow rules calculation of the
security group, it will unexpectedly allow all IP(4&6)
traffic to get through.
For openvswitch openflow firewall, this patch adds a source
mac address match for the allowed-address-pair which has
prefix lenght 0, that means all ethernet packets from this
mac will be accepted. It exactly will meet the request of
accepting any IP address from the configured VM.
Test result shows that the remote security group and
allowed address pair works:
1. Port has 0.0.0.0/0 allowed-address-pair clould send any
IP (src) packet out.
2. Port has x.x.x.x/y allowed-address-pair could be accepted
for those VMs under same security group.
3. Ports under same network can reach each other (remote
security group).
4. Protocol port number could be accessed only when there
has related rule.
Reviewed: https:/ /review. opendev. org/712632 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=00298fe6e84 cd7610b39af50e9 517885a182f47c
Committed: https:/
Submitter: Zuul
Branch: master
commit 00298fe6e84cd76 10b39af50e95178 85a182f47c
Author: LIU Yulong <email address hidden>
Date: Fri Mar 13 18:18:04 2020 +0800
[Security] fix allowed- address- pair 0.0.0.0/0 issue
When add allowed- address- pair 0.0.0.0/0 to one port, it will
unexpectedly open all others' protocol under same security
group. IPv6 has the same problem.
The root cause is the openflow rules calculation of the
security group, it will unexpectedly allow all IP(4&6)
traffic to get through.
For openvswitch openflow firewall, this patch adds a source address- pair which has
mac address match for the allowed-
prefix lenght 0, that means all ethernet packets from this
mac will be accepted. It exactly will meet the request of
accepting any IP address from the configured VM.
Test result shows that the remote security group and address- pair clould send any address- pair could be accepted
allowed address pair works:
1. Port has 0.0.0.0/0 allowed-
IP (src) packet out.
2. Port has x.x.x.x/y allowed-
for those VMs under same security group.
3. Ports under same network can reach each other (remote
security group).
4. Protocol port number could be accessed only when there
has related rule.
Closes-bug: #1867119 17cc117b65faaa1 60b41013dde
Change-Id: I2e3aa7c400d7bb