Reviewed: https://review.openstack.org/268192 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=29dffc084164c29b4726dc08bb986f7961e9fa9f Submitter: Jenkins Branch: master
commit 29dffc084164c29b4726dc08bb986f7961e9fa9f Author: Kevin Benton <[email protected]> Date: Fri Jan 15 15:22:03 2016 +0000 Revert "Change function call order in ovs_neutron_agent." This reverts commit 9c72bac0ea37971b2d5430246295c5e8b859b4ed. Change-Id: I9b6b588b68f63f6688749d011dc8b20ef80edadc Closes-Bug: #1534322 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1534322 Title: On new port, traffic flow is allowed before security groups are programmed Status in neutron: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. -- Description: During the creation of a neutron port, in the ovs_neutron_agent, traffic flow is enabled shortly before security groups are programmed. File: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py Funtion: process_network_ports Step-by-step: During the creation of a neutron port, the following calls are made: - treat_devices_added_or_updated - sg_agent.setup_port_filters - _bind_devices Before early November, process_network_ports called sg_agent.setup_port_filters before it called _bind_devices. This meant that security groups were programmed before traffic flow is enabled by _bind_devices, which sets the port-lvm mapping in br-int. Bug #1512636 reversed this order of operation, so that _bind_devices is called before sg_agent.setup_port_filters. This opens up a brief security hole, allowing traffic to flow for a short time before security groups are applied. Proposed solution: Revert bug# 1512636 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1534322/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
