Hello,

Apologies for multiple posts, forgot to set proper subject in previous one.

I'd like to turn attention to the broken port rule masking problem [1],
which affects 2 projects so far:
neutron (mitaka+ with ovs firewall driver configuration) and
networking-ovs-dpdk [2].

To keep it short: the existing port masking implementation is broken and in
several cases it will either leave a range of ports open (causing
unrestricted access) or make some ports inaccessible (when they should be
open) because of bad tp_src value being generated.

2 solutions have been proposed so far:
* The "low-level one" with O(log n) complexity by IWAMOTO Toshihiro and me
[2]
* The "high-level one" with O(n^2) complexity by Jakub Libosvar [3]

As long as the bug looks like a security vulnerability and is kind of
critical for ovs firewall feature, maybe we should choose one algorithm to
go on with and have this fixed in Newton?

[1] https://bugs.launchpad.net/neutron/+bug/1611991
[2] https://review.openstack.org/#/c/353782/30
[3] https://review.openstack.org/#/c/353782/16

Best regards,
Inessa Vasilevskaya
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to