[NETVIRT-513] AAP with prefix 0.0.0.0/0 shouldn't be supported for remote security group rules Created: 07/Mar/17 Updated: 03/Apr/17 Resolved: 03/Apr/17 |
|
| Status: | Resolved |
| Project: | netvirt |
| Component/s: | General |
| Affects Version/s: | Boron |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Somashekar Byrappa | Assignee: | Somashekar Byrappa |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 7912 |
| Description |
|
Supporting AAP with prefix 0.0.0.0/0 for remote security group rules would lead to a potential security breach. This would result in allowing the traffic from all the IPs. Below is a sample flow related to remote security group rules for VM (10.10.10.3). This would include nw_src match to allow traffic from VM (10.10.10.3). cookie=0x6900000, duration=3111.415s, table=252, n_packets=0, n_bytes=0, priority=1001,ct_state=+new+trk,ip,metadata=0x30000000000/0xfffff0000000000,nw_src=10.10.10.3 actions=ct(commit,zone=5001),resubmit(,220) Below is a sample flow related to remote security group rules for VM having AAP with prefix 0.0.0.0/0. This doesn't have nw_src match which would result in allowing the traffic from all the IPs. cookie=0x6900000, duration=3111.415s, table=252, n_packets=0, n_bytes=0, priority=1001,ct_state=+new+trk,ip,metadata=0x30000000000/0xfffff0000000000 actions=ct(commit,zone=5001),resubmit(,220). This bug is raised to not support AAP with 0.0.0.0/0 as part of remote security group rules/flows. |
| Comments |
| Comment by Somashekar Byrappa [ 07/Mar/17 ] |
|
Support for AAP with 0.0.0.0/0 should be retained only for anti spoofing flows which are configured in table 40/251. |
| Comment by Vivekanandan Narasimhan [ 03/Apr/17 ] |
|
This issues is fixed in master via: |