neutron

  1. Bug #1978497
  2. Comment #2

Comment 2 for bug 1978497

Revision history for this message
Anthony (atimmins) wrote :

Yes, this is concerning neutron-fwaas.

Let's take an example where one group looks like this:

openstack firewall group rule create --protocol tcp \
  --destination-ip-address 192.168.0.100 \
  --destination-port 443 \
  --action allow \
  --name webserverA-allow

openstack firewall group rule create --protocol any \
  --destination-ip-address 192.168.0.100 \
  --action deny \
  --name webserverA-deny

openstack firewall group rule create --protocol tcp \
  --destination-ip-address 192.168.0.0/24 \
  --action allow \
  --destination-port 22 \
  --name ssh-allow

openstack firewall group policy create \
  --firewall-rule webserverA-allow \
  --firewall-rule webserverA-deny \
  --firewall-rule ssh-allow \
  testmultiplegroups1

openstack firewall group create \
  --egress-firewall-policy testmultiplegroups1 \
  --name mytestgroup1

Now we'll create a second firewall group to allow tcp 3306 to everything in the subnet. With this group placed below the previous, webserverA (192.168.0.100) would not be included in this allow statement.

openstack firewall group rule create --protocol tcp \
  --destination-ip-address 192.168.0.0/24 \
  --action allow \
  --destination-port 3306 \
  --name mysql-allow

openstack firewall group policy create \
  --firewall-rule mysql-allow \
  testmultiplegroups2

openstack firewall group create \
  --egress-firewall-policy testmultiplegroups2 \
  --name mytestgroup2

The combined rules would be:

  --firewall-rule webserverA-allow
  --firewall-rule webserverA-deny
  --firewall-rule ssh-allow
  --firewall-rule mysql-allow

When the order of the groups is shuffled, the new combined ruleset becomes:

  --firewall-rule mysql-allow
  --firewall-rule webserverA-allow
  --firewall-rule webserverA-deny
  --firewall-rule ssh-allow

TCP 3306 is now unintentionally open to webserverA.