



























(Created page with "= OVN security group rules created before address group support may be ineffective = == Summary == In deployments using the OVN ML2 driver, security group rules referencing...") |
(没有差异) |
In deployments using the OVN ML2 driver, security group rules referencing remote address groups that were created before OVN address group support was added do not enforce source address filtering. The resulting OVN ACLs allow traffic from any source to the destination port.
Before OVN address group support was added, the Neutron API accepted address group references in security group rules without error, but the OVN driver silently ignored them. The resulting ACLs had no source address set, effectively allowing 0.0.0.0/0.
After upgrading, new rules work correctly but pre-existing ones are not fixed. The neutron-ovn-db-sync-util repair mode also does not correct them. Deleting an affected rule via the API orphans the ACL in OVN, which continues to pass traffic.
A fix has been merged that adds a maintenance task to automatically create missing address sets and update affected ACLs on service restart.
Upgrade to a version of neutron containing the fix (Gerrit 976832) and restart the neutron services. The maintenance task will correct pre-existing rules automatically. Operators should verify that orphaned ACLs from previously deleted rules are removed.
James Denton, Rackspace
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。