Open Stack

Akihiro, it's our fault for not mentioning that this also fixes the
security bug in the commit comment or this page earlier.  As you can
see, the original patch that was submitted for this security bug has
been largely neglected since November of 2013.  A lot has changed in the
backend since then, and we have been fixing issues on the backend side
for faster response.  For Icehouse, to work with the new backend that
contains various fixes, the plugin had to be changed to fit the new API.
This also made it difficult to do it incrementally as it was a
completely overhaul of the API to put more logic in the backend side.
Note that the main purpose of this patch is to achieve feature parity,
with less code to maintain in the neutron side.  It does contain quota
and ext-gw-mode extensions since they were very minimal to implement but
we can take them out as well.

Since we shouldn't have this issue open for much longer, let's decide on
this.  We have a strong desire to keep our upstream version of Neutron
as our primary de facto Neutron product.   The only option to achieve
this for Icehouse is to have this patch merged as FFE.  We really want
this, and we feel like we have done what we needed to do to get it in
for Icehouse as a feature, but like you said, sometimes, it just doesn't
work out, and we won't make a big fuss about it.  If Mark decides that
this patch should not go in as FFE, then let's close this bug and
abandon the patches.  Thierry, does that work for you?

Thierry, as for the security issue itself, since we have been providing
custom Neutron packages to customers that contain security fixes for
Havana, and since the upstream version does not work with MidoNet, no
one will be exposed to the security issues.  This is not the way we want
to provide the product, but it doesn't look like we have any choice at
this moment, and hopefully this will change for Juno.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1244025

Title:
  Remote security group criteria don't work in Midonet plugin

Status in OpenStack Neutron (virtual network service):
  In Progress
Status in neutron havana series:
  New
Status in OpenStack Security Advisories:
  Confirmed

Bug description:
  When creating a security rule that specifies a remote security group
  (rather than a CIDR range), the Midonet plugin does not enforce this
  criterion. With an egress rule, for example, one of the criteria for a
  particular rule may be that only traffic to security group A will be
  allowed out. This criterion is ignored, and traffic will be allowed
  out regardless of the destination security group, provided that it
  conforms to the rule's other criteria.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1244025/+subscriptions