On 22 September 2016 at 05:50, Inessa Vasilevskaya < ivasilevskaya at mirantis.com> wrote: > Hello, > > Apologies for multiple posts, forgot to set proper subject in previous one. > > I'd like to turn attention to the broken port rule masking problem [1], > which affects 2 projects so far: > neutron (mitaka+ with ovs firewall driver configuration) and > networking-ovs-dpdk [2]. > > To keep it short: the existing port masking implementation is broken and > in several cases it will either leave a range of ports open (causing > unrestricted access) or make some ports inaccessible (when they should be > open) because of bad tp_src value being generated. > > 2 solutions have been proposed so far: > * The "low-level one" with O(log n) complexity by IWAMOTO Toshihiro and me > [2] > * The "high-level one" with O(n^2) complexity by Jakub Libosvar [3] > > As long as the bug looks like a security vulnerability and is kind of > critical for ovs firewall feature, maybe we should choose one algorithm to > go on with and have this fixed in Newton? > > We'll try to converge on a path forward during today's Neutron drivers meeting. Watch the logs. Cheers, Armando > [1] https://bugs.launchpad.net/neutron/+bug/1611991 > [2] https://review.openstack.org/#/c/353782/30 > [3] https://review.openstack.org/#/c/353782/16 > > Best regards, > Inessa Vasilevskaya > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160922/df9279ae/attachment.html>