On 2020-11-25 10:00:22 +0100 (+0100), Slawek Kaplonski wrote:
On Wed, Nov 25, 2020 at 09:58:23AM +0100, Slawek Kaplonski wrote:
On Wed, Nov 25, 2020 at 08:47:03AM +0000, Tobias Urdin wrote:
So to be clear in our case here, we are running 15.1.0 for neutron-server and 15.3.0 for neutron agents.
That means that the agents does work but there is a security issue,as described regarding allowed address-pair, have I understood it correctly?
Yes, as it may have errors while applying SG rules.
But one more thing. I'm not really sure if that is security issue TBH. By default neutron is dropping traffic to/from instances and You need to allow some kind of traffic by setting security group rules. So if rules will not be applied, some traffic will be dropped but nothing unwanted shouldn't be allowed. [...]
I think maybe he was referring specifically to https://launchpad.net/bugs/1867119 (which really should have been marked as a duplicate of https://launchpad.net/bugs/1793029 and the older one reopened instead). In short, it describes an intended/expected behavior, and any potential changes to make it less of a potential foot-cannon were deemed in 1793029 to constitute an API break, so would not have been safe to backport to stable branches. Instead the behavior was highlighted with a warning here: https://docs.openstack.org/api-ref/network/v2/index.html#allowed-address-pai... Probably if 1867119 had been redirected to 1793029 as a duplicate and the discussion continued there, attempts to backport the "fix" for it would have gotten shut down quickly, but that's all hindsight now I suppose. -- Jeremy Stanley