Apologies for multiple posts, forgot to set proper subject in previous one.
I'd like to turn attention to the broken port rule masking problem ,
which affects 2 projects so far:
neutron (mitaka+ with ovs firewall driver configuration) and
To keep it short: the existing port masking implementation is broken and in
several cases it will either leave a range of ports open (causing
unrestricted access) or make some ports inaccessible (when they should be
open) because of bad tp_src value being generated.
2 solutions have been proposed so far:
* The "low-level one" with O(log n) complexity by IWAMOTO Toshihiro and me
* The "high-level one" with O(n^2) complexity by Jakub Libosvar 
As long as the bug looks like a security vulnerability and is kind of
critical for ovs firewall feature, maybe we should choose one algorithm to
go on with and have this fixed in Newton?
OpenStack Development Mailing List (not for usage questions)