Hello, I'd like to turn attention to the broken port rule masking problem [1], which affects 2 projects so far: neutron (mitaka+ with ovs firewall driver configuration) and networking-ovs-dpdk [2].
To keep it short: the existing port masking implementation is broken and in several cases it will either leave a range of ports open (causing unrestricted access) or make some ports inaccessible (when they should be open) because of bad tp_src value being generated. 2 solutions have been proposed so far: * The "low-level one" with O(log n) complexity by IWAMOTO Toshihiro and me [2] * The "high-level one" with O(n^2) complexity by Jakub Libosvar [3] As long as the bug looks like a security vulnerability and is kind of critical for ovs firewall feature, maybe we should choose one algorithm to go on with and have this fixed in Newton? [1] https://bugs.launchpad.net/neutron/+bug/1611991 [2] https://review.openstack.org/#/c/353782/30 [3] https://review.openstack.org/#/c/353782/16 Best regards, Inessa Vasilevskaya
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
