Comment 6 for bug 2058138

> [Brian Haley] not sure if it also needs a change in _expand_sg_rule_with_remote_ips().

Indeed. A change to _expand_sg_rule_with_remote_ips() is needed to also fix the issue for enable_ipset=False.
This is now fixed in Enhance-IptablesFirewallDriver-with-remote-address-g-v2.patch

> [Lajos Katona] do you plan / are you able to push your patch upstream?

I'd be happy to give this a try, as soon as the group confirms that no embargo is needed.

> [Jeremy Stanley] Based on the description, this sounds like a situation that an attacker wouldn't be able to create, but rather a security feature not working as intended leaving systems exposed to subsequent attacks. Is that an accurate assessment?

Yes, exactly.
Please let me know, whether I should submit the patch using Gerrit.

> [Jeremy Stanley] Can someone work out what earlier releases may also be affected?

Address groups were first introduced in Wallaby [1], and all releases including and since Wallaby seem affected.

[1] https://releases.openstack.org/wallaby/highlights.html