Public bug reported: Right now, port security API - seems to [1] - disable both ACL filtering (SGs) and anti-spoofing (allowed address pairs logic). An argument may be made to allow to disable anti-spoofing but still implement ACL filtering on a port. (This actually happened in one of synthetic NFV test environments in-house.) In this case, the user story would look like as follows:
0. A user creates a SG with TCP blocked. 1. A user creates a port using this SG. 2. A user uses a new API to mark the port to allow MAC spoofing. 3. A user sends TCP traffic using a different MAC through the port and sees it blocked. 4. A user sends UDP traffic using a different MAC through the port and see it's not blocked. Allowed-address-pairs API allows to specify masks for IP addresses, effectively allowing to match against ANY IP address using /0 mask. But MAC address part of the API doesn't support masks or other ways to list groups of addresses. Perhaps the feature request may be fulfilled by extending the API to allow a way to list groups of MAC addresses in anti-spoofing mechanism (either via a hardcoded special value like "ANY" or via a mask). This doesn't necessarily mean it's the optimal way to do it, throwing it here just as an idea to explore. [1] https://bugs.launchpad.net/neutron/+bug/1946250 ** Affects: neutron Importance: Undecided Status: New ** Tags: api rfe sg-fw ** Description changed: Right now, port security API - seems to [1] - disable both ACL filtering (SGs) and anti-spoofing (allowed address pairs logic). An argument may be made to allow to disable anti-spoofing but still implement ACL filtering on a port. (This actually happened in one of synthetic NFV test environments in-house.) In this case, the user story would look like as follows: 0. A user creates a SG with TCP blocked. 1. A user creates a port using this SG. 2. A user uses a new API to mark the port to allow MAC spoofing. - 3. A user sends TCP traffic through the port and sees it blocked. - 4. A user sends UDP traffic through the port and see it's not blocked. + 3. A user sends TCP traffic using a different MAC through the port and sees it blocked. + 4. A user sends UDP traffic using a different MAC through the port and see it's not blocked. Allowed-address-pairs API allows to specify masks for IP addresses, effectively allowing to match against ANY IP address using /0 mask. But MAC address part of the API doesn't support masks or other ways to list groups of addresses. Perhaps the feature request may be fulfilled by extending the API to allow a way to list groups of MAC addresses in anti-spoofing mechanism (either via a hardcoded special value like "ANY" or via a mask). This doesn't necessarily mean it's the optimal way to do it, throwing it here just as an idea to explore. [1] https://bugs.launchpad.net/neutron/+bug/1946250 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1946251 Title: API: allow to disable anti-spoofing but not SGs Status in neutron: New Bug description: Right now, port security API - seems to [1] - disable both ACL filtering (SGs) and anti-spoofing (allowed address pairs logic). An argument may be made to allow to disable anti-spoofing but still implement ACL filtering on a port. (This actually happened in one of synthetic NFV test environments in-house.) In this case, the user story would look like as follows: 0. A user creates a SG with TCP blocked. 1. A user creates a port using this SG. 2. A user uses a new API to mark the port to allow MAC spoofing. 3. A user sends TCP traffic using a different MAC through the port and sees it blocked. 4. A user sends UDP traffic using a different MAC through the port and see it's not blocked. Allowed-address-pairs API allows to specify masks for IP addresses, effectively allowing to match against ANY IP address using /0 mask. But MAC address part of the API doesn't support masks or other ways to list groups of addresses. Perhaps the feature request may be fulfilled by extending the API to allow a way to list groups of MAC addresses in anti-spoofing mechanism (either via a hardcoded special value like "ANY" or via a mask). This doesn't necessarily mean it's the optimal way to do it, throwing it here just as an idea to explore. [1] https://bugs.launchpad.net/neutron/+bug/1946250 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1946251/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
