That said, I can see how there's the possibility that something could get dropped based on how things are created.
But how can something be allowed and create a security vulnerability? If you have created a group/rule that allows a packet to pass but the ordering disallows it (by accident), but a restart somehow shifts the order to then allow it, that doesn't seem like a bug. In this case you did want to let the packet through and it just wasn't happening in some circumstances. Can you outline a case where rules were mis-applied? Maybe I'm mis-understanding.
Just to be clear, this is talking about the neutron-fwaas component, correct?
When the v2 of the API was created, it actually talks about this specific issue in the "Multiple Firewall Policies" section:
https:/ /specs. openstack. org/openstack/ neutron- specs/specs/ newton/ fwaas-api- 2.0.html
That said, I can see how there's the possibility that something could get dropped based on how things are created.
But how can something be allowed and create a security vulnerability? If you have created a group/rule that allows a packet to pass but the ordering disallows it (by accident), but a restart somehow shifts the order to then allow it, that doesn't seem like a bug. In this case you did want to let the packet through and it just wasn't happening in some circumstances. Can you outline a case where rules were mis-applied? Maybe I'm mis-understanding.