Comment 1 for bug 1978497

Just to be clear, this is talking about the neutron-fwaas component, correct?

When the v2 of the API was created, it actually talks about this specific issue in the "Multiple Firewall Policies" section:

https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html

That said, I can see how there's the possibility that something could get dropped based on how things are created.

But how can something be allowed and create a security vulnerability? If you have created a group/rule that allows a packet to pass but the ordering disallows it (by accident), but a restart somehow shifts the order to then allow it, that doesn't seem like a bug. In this case you did want to let the packet through and it just wasn't happening in some circumstances. Can you outline a case where rules were mis-applied? Maybe I'm mis-understanding.