[Yahoo-eng-team] [Bug 1745642] [NEW] SG hybrid iptables driver and FWaaS OVS driver create overlapping conntrack zones
Public bug reported: SG with hybrid-iptables driver uses per port conntrack zones. FWaaS port security uses per network conntrack zones based on local vlans assigned by ovs l2 agent. In case both SG iptables-hybrid driver and FWaaS port security is enabled, there is a posibility of iptables-hybrid and OVS based FWaaS driver allocating overlapping zone and creating security holes. ** Affects: neutron Importance: Undecided Assignee: chandan dutta chowdhury (chandanc) Status: New ** Project changed: cinder => neutron ** Changed in: neutron Assignee: (unassigned) => chandan dutta chowdhury (chandanc) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1745642 Title: SG hybrid iptables driver and FWaaS OVS driver create overlapping conntrack zones Status in neutron: New Bug description: SG with hybrid-iptables driver uses per port conntrack zones. FWaaS port security uses per network conntrack zones based on local vlans assigned by ovs l2 agent. In case both SG iptables-hybrid driver and FWaaS port security is enabled, there is a posibility of iptables- hybrid and OVS based FWaaS driver allocating overlapping zone and creating security holes. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1745642/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1607227] [NEW] Enhancement to iptables driver for FWaaS v2
Public bug reported: The Iptables manager and firewall driver in Neutron must be enhanced for co-existence of SecurityGroup and FWaaS v2 APIs. This patch re-factors the IPTables driver for enabling FWaaS and SG chain to be interleaved preserving ordering of rules. ** Affects: neutron Importance: Undecided Assignee: chandan dutta chowdhury (chandanc) Status: New ** Changed in: neutron Assignee: (unassigned) => chandan dutta chowdhury (chandanc) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1607227 Title: Enhancement to iptables driver for FWaaS v2 Status in neutron: New Bug description: The Iptables manager and firewall driver in Neutron must be enhanced for co-existence of SecurityGroup and FWaaS v2 APIs. This patch re- factors the IPTables driver for enabling FWaaS and SG chain to be interleaved preserving ordering of rules. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1607227/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1595515] [NEW] IpConntrackManager class in ip_conntrack.py should be a singleton to be used by both SG and FWaaS
Public bug reported: The FWaaS V2 APIs is going to configure security rules at a port level. It will need to use connection tracking and zone configuration methods defined in the ip_conntrack.py and iptables_firewall.py in neutron project. Some methods in the IptablesFirewallDriver in iptables_firewall needs to be moved to IpConntrackManager class in ip_conntrack.py. As IpConntrackManager will be used by both SG and FWaaS V2 APIs and both of them can be used at the same time, the IpConntrackManager should be a singleton responsible for allocating and reclaiming zones assigned to ports. ** Affects: neutron Importance: Undecided Assignee: chandan dutta chowdhury (chandanc) Status: New ** Changed in: neutron Assignee: (unassigned) => chandan dutta chowdhury (chandanc) ** Description changed: The FWaaS V2 APIs is going to configure security rules at a port level. - It will need to use connection and zone configuration methods defined in - the ip_conntrack.py and iptables_firewall.py in neutron project. + It will need to use connection tracking and zone configuration methods + defined in the ip_conntrack.py and iptables_firewall.py in neutron + project. Some methods in the IptablesFirewallDriver in iptables_firewall needs to be moved to IpConntrackManager class in ip_conntrack.py. As IpConntrackManager will be used by both SG and FWaaS V2 APIs and both of them can be used at the same time, the IpConntrackManager should be a singleton responsible for allocating and reclaiming zones assigned to ports. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1595515 Title: IpConntrackManager class in ip_conntrack.py should be a singleton to be used by both SG and FWaaS Status in neutron: New Bug description: The FWaaS V2 APIs is going to configure security rules at a port level. It will need to use connection tracking and zone configuration methods defined in the ip_conntrack.py and iptables_firewall.py in neutron project. Some methods in the IptablesFirewallDriver in iptables_firewall needs to be moved to IpConntrackManager class in ip_conntrack.py. As IpConntrackManager will be used by both SG and FWaaS V2 APIs and both of them can be used at the same time, the IpConntrackManager should be a singleton responsible for allocating and reclaiming zones assigned to ports. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1595515/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
