> [Brian Haley] not sure if it also needs a change in _expand_sg_rule_with_remote_ips().
Indeed. A change to _expand_sg_rule_with_remote_ips() is needed to also fix the issue for enable_ipset=False.
This is now fixed in Enhance-IptablesFirewallDriver-with-remote-address-g-v2.patch
> [Lajos Katona] do you plan / are you able to push your patch upstream?
I'd be happy to give this a try, as soon as the group confirms that no embargo is needed.
> [Jeremy Stanley] Based on the description, this sounds like a situation that an attacker wouldn't be able to create, but rather a security feature not working as intended leaving systems exposed to subsequent attacks. Is that an accurate assessment?
Yes, exactly.
Please let me know, whether I should submit the patch using Gerrit.
> [Jeremy Stanley] Can someone work out what earlier releases may also be affected?
Address groups were first introduced in Wallaby [1], and all releases including and since Wallaby seem affected.
> [Brian Haley] not sure if it also needs a change in _expand_ sg_rule_ with_remote_ ips().
Indeed. A change to _expand_ sg_rule_ with_remote_ ips() is needed to also fix the issue for enable_ipset=False. IptablesFirewal lDriver- with-remote- address- g-v2.patch
This is now fixed in Enhance-
> [Lajos Katona] do you plan / are you able to push your patch upstream?
I'd be happy to give this a try, as soon as the group confirms that no embargo is needed.
> [Jeremy Stanley] Based on the description, this sounds like a situation that an attacker wouldn't be able to create, but rather a security feature not working as intended leaving systems exposed to subsequent attacks. Is that an accurate assessment?
Yes, exactly.
Please let me know, whether I should submit the patch using Gerrit.
> [Jeremy Stanley] Can someone work out what earlier releases may also be affected?
Address groups were first introduced in Wallaby [1], and all releases including and since Wallaby seem affected.
[1] https:/ /releases. openstack. org/wallaby/ highlights. html