commit 377e1f6838fcfd5c20056cafaabc7f69992ad2fa
Author: Robert Breker <email address hidden>
Date: Sun Mar 17 14:43:50 2024 +0000
Enhance IptablesFirewallDriver with remote address groups
This change enhances the IptablesFirewallDriver with support for remote
address groups. Previously, this feature was only available in the
OVSFirewallDriver. This commit harmonizes the capabilities across both
firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.
Background -
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network
access.
Closes-Bug: #2058138
Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f
(cherry picked from commit 5e1188ef38da3f196aadf82a3842fa982c9a0c83)
(cherry picked from commit 0eccc52f826f21459a285c06a454a3b818d30ca0)
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/914217 /opendev. org/openstack/ neutron/ commit/ 377e1f6838fcfd5 c20056cafaabc7f 69992ad2fa
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.2
commit 377e1f6838fcfd5 c20056cafaabc7f 69992ad2fa
Author: Robert Breker <email address hidden>
Date: Sun Mar 17 14:43:50 2024 +0000
Enhance IptablesFirewal lDriver with remote address groups
This change enhances the IptablesFirewal lDriver with support for remote Driver. This commit harmonizes the capabilities across both esFirewallDrive r.
address groups. Previously, this feature was only available in the
OVSFirewall
firewall drivers, and by inheritance also to OVSHybridIptabl
Background - esFirewallDrive r and IptablesFirewal lDriver do than-configured network
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptabl
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-
access.
Closes-Bug: #2058138 a5e829537af4131 6bb42a6f30f 96aadf82a3842fa 982c9a0c83) 59a285c06a454a3 b818d30ca0)
Change-Id: I76b3cb46ee603f
(cherry picked from commit 5e1188ef38da3f1
(cherry picked from commit 0eccc52f826f214