Reviewed: https://review.openstack.org/538154 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9a620f6ea51f5696310283869e68f6a1d49164d1 Submitter: Zuul Branch: master
commit 9a620f6ea51f5696310283869e68f6a1d49164d1 Author: Chandan Dutta Chowdhury <[email protected]> Date: Fri Jan 26 05:23:16 2018 +0000 This patch changes the CT zone allocation range SG with hybrid-iptables driver uses per port conntrack zones. FWaaS port security uses per network conntrack zones based on local vlans assigned by ovs l2 agent. In case both SG iptables-hybrid driver and FWaaS port security is enabled, there is a posibility of iptables-hybrid and OVS based FWaaS driver allocating overlapping zone and creating security holes. This patch changes the zone allocation range for iptables and hybrid_iptables driver to 4097 - 65535. While OVS based port security driver can use zones based on local vlan range 1 - 4096 Closes-Bug: #1745642 Change-Id: I4d51637ed1de8fe85b4982a03410d4a3f637ea3f ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1745642 Title: SG hybrid iptables driver and FWaaS OVS driver create overlapping conntrack zones Status in neutron: Fix Released Bug description: SG with hybrid-iptables driver uses per port conntrack zones. FWaaS port security uses per network conntrack zones based on local vlans assigned by ovs l2 agent. In case both SG iptables-hybrid driver and FWaaS port security is enabled, there is a posibility of iptables- hybrid and OVS based FWaaS driver allocating overlapping zone and creating security holes. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1745642/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
