neutron/releasenotes/notes/iptables-support-remote-address-groups-89da589aad3c01d3.yaml
Robert Breker 5e1188ef38 Enhance IptablesFirewallDriver with remote address groups
This change enhances the IptablesFirewallDriver with support for remote
address groups. Previously, this feature was only available in the
OVSFirewallDriver. This commit harmonizes the capabilities across both
firewall drivers, and by inheritance also to OVSHybridIptablesFirewallDriver.

Background -
The Neutron API allows operators to configure remote address groups [1],
however the OVSHybridIptablesFirewallDriver and IptablesFirewallDriver do
not implement these remote group restrictions. When configuring security
group rules with remote address groups, connections get enabled
based on other rule parameters, ignoring the configured remote address
group restrictions.
This behaviour undocumented, and may lead to more-open-than-configured network
access.

Closes-Bug: #2058138
Change-Id: I76b3cb46ee603fa5e829537af41316bb42a6f30f
2024-03-20 22:20:45 +00:00

8 lines
330 B
YAML

---
features:
- |
Remote address group support was added to the iptables-based firewall
drivers (IptablesFirewallDriver and OVSHybridIptablesFirewallDriver),
Previously it was only available in the OVSFirewallDriver.
For more information, see bug
`2058138 <https://bugs.launchpad.net/neutron/+bug/2058138>`_.