bd6203b2c7
When add allowed-address-pair 0.0.0.0/0 to one port, it will
unexpectedly open all others' protocol under same security
group. IPv6 has the same problem.
The root cause is the openflow rules calculation of the
security group, it will unexpectedly allow all IP(4&6)
traffic to get through.
For openvswitch openflow firewall, this patch adds a source
mac address match for the allowed-address-pair which has
prefix lenght 0, that means all ethernet packets from this
mac will be accepted. It exactly will meet the request of
accepting any IP address from the configured VM.
Test result shows that the remote security group and
allowed address pair works:
1. Port has 0.0.0.0/0 allowed-address-pair clould send any
IP (src) packet out.
2. Port has x.x.x.x/y allowed-address-pair could be accepted
for those VMs under same security group.
3. Ports under same network can reach each other (remote
security group).
4. Protocol port number could be accessed only when there
has related rule.
Conflicts:
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py
Closes-bug: #1867119
Change-Id: I2e3aa7c400d7bb17cc117b65faaa160b41013dde
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| l2 | ||
| l3 | ||
| linux | ||
| windows | ||
| __init__.py | ||
| test_dhcp_agent.py | ||
| test_firewall.py | ||
| test_l2_lb_agent.py | ||
| test_l2_ovs_agent.py | ||
| test_ovs_flows.py | ||
| test_ovs_lib.py | ||