-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhos-18.0.14 FR 4
-
None
-
5
-
False
-
-
False
-
?
-
openstack-neutron-22.2.2-18.0.20260302154936.51e19bb.el9osttrunk
-
rhos-connectivity-neutron-gluon
-
None
-
-
-
-
Priority Bugs
-
1
-
Critical
U/S bug: https://bugs.launchpad.net/neutron/+bug/2141589 (currently under embargo)
This issue was fixed in U/S in [1]. But this patch does not consider the existing rules before applying it.
The issue: when a security group rule is created using an address group, the ACL created does not point to any Address_Set (the equivalent to a Neutron address group). The consequence: the rule is not filtering by the selected IPs/CIDRs in the address group and is allowing any IP address to use this rule.
For example: if a rule to have SSH access is restricted to a set of IP addresses
$ openstack address group create --address 10.0.0.1/32 ag1 $ openstack security group create sg1 $ openstack security group rule create --proto tcp --dst-port 22 --remote-address-group ag1 sg1
The ACLs created are:
no patch: outport == @pg_5f5993c2_2593_4aa6_8820_8d47201d9c20 && ip4 && tcp && tcp.dst == 22 with patch: outport == @pg_5f5993c2_2593_4aa6_8820_8d47201d9c20 && ip4 && ip4.src == $ag_02cfde65_103b_4851_9862_154f6a6d07e0_ip4 && tcp && tcp.dst == 22
The first ACL does not filter by ip4.src (in this case, because we are using an IPv4 only address group).
