Uploaded image for project: 'groupbasedpolicy'
  1. groupbasedpolicy
  2. GBP-69

BUG: Duplicate flows in policy enforcer.

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Resolution: Done
    • unspecified
    • None
    • General
    • None

    • Operating System: All
      Platform: All

    • 3460
    • Highest

    Description

      When creating a Nova "port" with basic IPv4 ingress/egress:

      https://gist.github.com/3230000010f5f89d0404

      I see flows filtered on subnet ie leveraging EIC.

      https://gist.github.com/eaea3770ba4eb83cfb79

      This is incorrect.

      EIC should be used in Neutron mapping for security-group rules with prefixes, not subnets that are provisioned.

      There maybe subnets: 10.0.0.0/24, 10.0.1.0/24 and 10.0.3.0/24

      Unless a user EXPLICITLY states a prefix rule in a security group, these should not be used.

      ie.

      a user may specific a rule 10.0.0.0/8 and THAT should go into the EIC.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            msunal@cisco.com Martin Sunal
            alagalah Keith Burns
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: