[openstack-dev] [neutron] - L3 scope-aware security groups

Kevin Benton blak111 at gmail.com
Mon Jun 8 21:52:40 UTC 2015


There is a bug in security groups here:
https://bugs.launchpad.net/neutron/+bug/1359523

In the example scenario, it's caused by conntrack zones not being isolated.
But it also applies to the following scenario that can't be solved by zones:

create two networks with same 10.0.0.0/24
create port1 in SG1 on net1 with IP 10.0.0.1
create port2 in SG1 on net2 with IP 10.0.0.2
create port3 in SG2 on net1 with IP 10.0.0.2
create port4 in SG2 on net2 with IP 10.0.0.1

port1 can communicate with port3 because of the allow rule for port2's IP
port2 can communicate with port4 because of the allow rule for port1's IP

The solution will require the security groups processing code to understand
that a member of a security group is not actually reachable by another
member and skip the allow rule for that member.

With the current state of things, it will take a tone of kludgy code to
check for routers and router interfaces to see if two IPs can communicate
without NAT. However, if we end up with the concept of address-scopes, it
just becomes a simple address scope comparison.

Implement address scopes.


Cheers!
-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150608/ed8b4561/attachment.html>


More information about the OpenStack-dev mailing list