commit 872c6ad2cd2e80933f1bf8b8ad6a0e0c1a0169e6
Author: Robert Breker <email address hidden>
Date: Sun Mar 17 14:43:50 2024 +0000
Enhance IptablesFirewallDriver with remote address groups
This change enhances the IptablesFirewallDriver with support for remote
address groups. Previously, this feature was only available in the
OVSFirewallDriver. This commit harmonizes the capabilities across both
firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.
Background -
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network
access.
Closes-Bug: #2058138
Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f
(cherry picked from commit 5e1188ef38da3f196aadf82a3842fa982c9a0c83)
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/914585 /opendev. org/openstack/ neutron/ commit/ 872c6ad2cd2e809 33f1bf8b8ad6a0e 0c1a0169e6
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.1
commit 872c6ad2cd2e809 33f1bf8b8ad6a0e 0c1a0169e6
Author: Robert Breker <email address hidden>
Date: Sun Mar 17 14:43:50 2024 +0000
Enhance IptablesFirewal lDriver with remote address groups
This change enhances the IptablesFirewal lDriver with support for remote Driver. This commit harmonizes the capabilities across both esFirewallDrive r.
address groups. Previously, this feature was only available in the
OVSFirewall
firewall drivers, and by inheritance also to OVSHybridIptabl
Background - esFirewallDrive r and IptablesFirewal lDriver do than-configured network
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptabl
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-
access.
Closes-Bug: #2058138 a5e829537af4131 6bb42a6f30f 96aadf82a3842fa 982c9a0c83)
Change-Id: I76b3cb46ee603f
(cherry picked from commit 5e1188ef38da3f1