[Bug 2058138] Re: Neutron OVSHybridIptablesFirewallDriver and IptablesFirewallDriver don't enforce Remote address groups

Brian Haley 2058138 at bugs.launchpad.net
Mon Apr 7 20:38:55 UTC 2025 

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Changed in: neutron (Ubuntu Noble)
       Status: New => Fix Released

** Changed in: neutron (Ubuntu)
     Assignee: (unassigned) => Brian Haley (brian-haley)

** Also affects: neutron/yoga
   Importance: Undecided
       Status: New

** No longer affects: neutron/yoga

** Also affects: cloud-archive/bobcat
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/antelope
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/caracal
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/yoga
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/zed
   Importance: Undecided
       Status: New

** Changed in: cloud-archive/caracal
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2058138

Title:
  Neutron OVSHybridIptablesFirewallDriver and IptablesFirewallDriver
  don't enforce Remote address groups

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive antelope series:
  New
Status in Ubuntu Cloud Archive bobcat series:
  New
Status in Ubuntu Cloud Archive caracal series:
  Fix Released
Status in Ubuntu Cloud Archive yoga series:
  New
Status in Ubuntu Cloud Archive zed series:
  New
Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete
Status in neutron package in Ubuntu:
  New
Status in neutron source package in Focal:
  New
Status in neutron source package in Jammy:
  New
Status in neutron source package in Noble:
  Fix Released

Bug description:
  High level description -

  The Neutron API allows operators to configure remote address groups [1], however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do not implement these remote group restrictions. When configuring security group rules with remote address groups, connections get enabled based on other rule parameters, ignoring the configured remote address group restrictions.
  This behaviour undocumented, and may lead to more-open-than-configured network access.

  Background -

  Remote address groups enable specifying rules that target many CIDRs
  efficiently. In line with the remote security group support, this
  should be implemented through the use of hashed ipsets in case of the
  IptablesFirewallDriver.

  Pre-conditions -
  * Using OVSHybridIptablesFirewallDriver or IptablesFirewallDriver
  * Configured remote Address Groups.

  Version -
  All OpenStack versions with remote address group support are impacted. We noticed it on 2024.1.

  [1] https://docs.openstack.org/python-
  openstackclient/latest/cli/command-objects/address-group.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2058138/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list