Activity log for bug #1434029
Date | Who | What changed | Old value | New value | Message |
---|---|---|---|---|---|
2015-03-19 10:57:32 | Dmitry Mescheryakov | bug | added bug | ||
2015-03-19 13:28:41 | Alexander Ignatov | summary | Security groups aren’t network topology aware | [Backport bug/1432856]Security groups aren’t network topology aware | |
2015-03-19 13:29:13 | Alexander Ignatov | description | Upstream issue https://bugs.launchpad.net/neutron/+bug/1432856 | Upstream issue https://bugs.launchpad.net/neutron/+bug/1432856 ==================== Original description ==================== Security group rules for a host include all hosts that are members of the security group even though some can be unaccessible because they aren’t attached to the same router. This introduces two problems. First, it will create unneeded iptables rules on nodes and additional work on neutron-server and agent-side. Second, in the case of overlapping networks, the rules that result from a host on a completely separate network may end up allowing traffic from an untrusted host on the same network. e.g. Security group SG1 has rules to allow traffic from other members of the same group. Members of SG1 include 10.0.0.2 and 10.0.0.3, which are on two separate networks with overlapping IPs. The iptables rules on 10.0.0.2 will then permit traffic from 10.0.0.3 even though 10.0.0.3 could be an untrusted node on its own network. Workaround: Use separate security groups per each network. This will decrease load from calculations significantly on neutron-server and also will decrease number of iptables rules on nodes. | |
2015-03-19 13:29:33 | Alexander Ignatov | tags | neutron | neutron scale sg-fw | |
2015-03-19 13:29:51 | Alexander Ignatov | nominated for series | mos/6.0.x | ||
2015-03-19 13:29:51 | Alexander Ignatov | bug task added | mos/6.0.x | ||
2015-03-19 13:30:01 | Alexander Ignatov | mos/6.0.x: assignee | MOS Neutron (mos-neutron) | ||
2015-03-19 13:30:08 | Alexander Ignatov | mos/6.0.x: milestone | 6.0.2 | ||
2015-03-19 13:30:11 | Alexander Ignatov | mos/6.0.x: importance | Undecided | High | |
2015-03-19 13:30:13 | Alexander Ignatov | mos/6.0.x: status | New | Confirmed | |
2015-03-20 10:48:50 | Eugene Nikanorov | mos/6.0.x: status | Confirmed | Opinion | |
2015-03-20 10:48:52 | Eugene Nikanorov | mos: status | Confirmed | Opinion | |
2015-03-20 10:48:58 | Eugene Nikanorov | mos/6.0.x: importance | High | Wishlist | |
2015-03-20 10:49:00 | Eugene Nikanorov | mos: importance | High | Wishlist | |
2015-09-26 11:11:07 | Vitaly Sedelnik | mos/6.0.x: milestone | 6.0.2 | 6.0.1 | |
2015-09-30 10:30:04 | Vitaly Sedelnik | mos: status | Opinion | Won't Fix | |
2015-09-30 10:30:07 | Vitaly Sedelnik | mos/6.0.x: status | Opinion | Won't Fix |