neutron

Bug #2058138
Comment #20

Comment 20 for bug 2058138

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-28: Fix merged to neutron (stable/2023.2)

#20

Reviewed: https://review.opendev.org/c/openstack/neutron/+/914217
Committed: https://opendev.org/openstack/neutron/commit/377e1f6838fcfd5c20056cafaabc7f69992ad2fa
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 377e1f6838fcfd5c20056cafaabc7f69992ad2fa
Author: Robert Breker <email address hidden>
Date: Sun Mar 17 14:43:50 2024 +0000

Enhance IptablesFirewallDriver with remote address groups

    This change enhances the IptablesFirewallDriver with support for remote
    address groups. Previously, this feature was only available in the
    OVSFirewallDriver. This commit harmonizes the capabilities across both
    firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.

    Background -
    The Neutron API allows operators to configure remote address groups [1],
    however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
    not implement these remote group restrictions. When configuring security
    group rules with remote address groups, connections get enabled
    based on other rule parameters, ignoring the configured remote address
    group restrictions.
    This behaviour undocumented, and may lead to more-open-than-configured network
    access.

    Closes-Bug: #2058138
    Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f
    (cherry picked from commit 5e1188ef38da3f196aadf82a3842fa982c9a0c83)
    (cherry picked from commit 0eccc52f826f21459a285c06a454a3b818d30ca0)