Open Stack

On 2020-11-25 10:00:22 +0100 (+0100), Slawek Kaplonski wrote:
> On Wed, Nov 25, 2020 at 09:58:23AM +0100, Slawek Kaplonski wrote:
> > On Wed, Nov 25, 2020 at 08:47:03AM +0000, Tobias Urdin wrote:
> > 
> > > So to be clear in our case here, we are running 15.1.0 for
> > > neutron-server and 15.3.0 for neutron agents.
> > > 
> > > That means that the agents does work but there is a security
> > > issue,as described regarding allowed address-pair, have I
> > > understood it correctly?
> > 
> > Yes, as it may have errors while applying SG rules.
> 
> But one more thing. I'm not really sure if that is security issue
> TBH. By default neutron is dropping traffic to/from instances and
> You need to allow some kind of traffic by setting security group
> rules. So if rules will not be applied, some traffic will be
> dropped but nothing unwanted shouldn't be allowed.
[...]

I think maybe he was referring specifically to
https://launchpad.net/bugs/1867119 (which really should have been
marked as a duplicate of
https://launchpad.net/bugs/1793029 and the older one reopened
instead). In short, it describes an intended/expected behavior, and
any potential changes to make it less of a potential foot-cannon
were deemed in 1793029 to constitute an API break, so would not have
been safe to backport to stable branches. Instead the behavior was
highlighted with a warning here:

https://docs.openstack.org/api-ref/network/v2/index.html#allowed-address-pairs

Probably if 1867119 had been redirected to 1793029 as a duplicate
and the discussion continued there, attempts to backport the "fix"
for it would have gotten shut down quickly, but that's all hindsight
now I suppose.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201125/249e4a8f/attachment.sig>