Neutron OVSHybridIptablesFirewallDriver and IptablesFirewallDriver don't enforce Remote address groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
High
|
Robert Breker |
Bug Description
High level description -
The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptabl
This behaviour undocumented, and may lead to more-open-
Background -
Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewal
Pre-conditions -
* Using OVSHybridIptabl
* Configured remote Address Groups.
Version -
All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.
[1] https:/
description: | updated |
tags: | added: sg-fw |
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
assignee: | nobody → Robert Breker (rbreker) |
Patch for this issue.