Comment 0 for bug 2058138

High level description -

The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network access.

Background -

Remote address groups enable specifying rules that target many CIDRs efficiently. In line with the remote security group support, this should be implemented through the use of hashed ipsets in case of the IptablesFirewallDriver.

Pre-conditions -
* Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
* Configured remote Address Groups.

Version -
Al OpenStack versions with remote address group support are impacted. We noticed it on 2023.1.

[1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/address-group.html