Reviewed: https://review.openstack.org/642145 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4350ed3c3556388eaa7f8623ed05b5adc86e9c16 Submitter: Zuul Branch: master
commit 4350ed3c3556388eaa7f8623ed05b5adc86e9c16 Author: Brian Haley <[email protected]> Date: Fri Mar 8 15:24:24 2019 -0500 Better handle ports in security groups After taking a closer look at bug 1818385, I found a couple of follow-on things to fix in the security group code. First, there are very few protocols that accept ports, especially via iptables. For this reason I think it's acceptable that the API rejects them as invalid. Second, UDPlite has some interesting support in iptables. It does not support using --dport directly, but does using '-m multiport --dports 123', and also supports port ranges using '-m multiport --dports 123:124'. Added code for this special case. Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4 Closes-Bug: #1818385 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1818385 Title: It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735) Status in neutron: Fix Released Status in OpenStack Security Advisory: Triaged Bug description: This command should be invalid, but Neutron (Rocky) allows it to be created. > openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112 Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules. > unknown option "--dport" To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1818385/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
