[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.

  rules referencing security group members expose VMs in overlapping IP

Status in neutron:

Bug description:
  create SG1 an SG2 that only allow traffic to members of their own group
  create two networks with same CIDR
  create port1 in SG1 on net1 with IP
  create port2 in SG1 on net2 with IP
  create port3 in SG2 on net1 with IP

  port1 can communicate with port3 because of the allow rule for port2's

  This violates the constraints of the configured security groups.

  Another incarnation of the bug happens if you:

  (graphic representation: 
  create SG1 and SG2, that only allow traffic to members of their own group
  create two network (N1, N2) segments
  create another network segment (N3)
  add a router R that connects the N1 to N3

  then add IPa, IPb to SG1 on N1
  add IPc, IPd to SG1 on N2

  then add IPc and IPd to SG2 on N3

  IPa, and IPb will accept traffic from ports with IPc and IPd on SG2
  even if they should not.

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to