© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Re-quoting the relevant part of the spec:
> packets will be allowed if any one of the firewall groups
> associated with that Neutron port allows the packet
Per your description, packets are sometimes blocked and
sometimes allowed depending on the group order, even though the
specification says they should always be allowed. A such, any
backportable solution to this bug on stable branches (if even
possible) will involve making sure the behavior matches the
specification. That the nature of the bug caused you to expect
things to be blocked even though the specification says they
should not be certainly counts as a security risk, and is
something which could suggest it's worthwhile to revisit this
design in future development of the service, but OpenStack is
committed to open design methodologies and avoids redesigning
services in secret.
That said, the OpenStack Vulnerability Management Team does
not officially oversee reports of suspected vulnerabilities
for the neutron-fwaas project, so I'll step back at this point
and let the developers for it decide how they wish to proceed.