Comment 10 for bug 1867119

Reviewed: https://review.opendev.org/744134
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=18a171808ba8c5e4806feda43f571fb8cfc0b9a1
Submitter: Zuul
Branch: stable/stein

commit 18a171808ba8c5e4806feda43f571fb8cfc0b9a1
Author: LIU Yulong <email address hidden>
Date: Fri Mar 13 18:18:04 2020 +0800

    [Security] fix allowed-address-pair 0.0.0.0/0 issue

    When add allowed-address-pair 0.0.0.0/0 to one port, it will
    unexpectedly open all others' protocol under same security
    group. IPv6 has the same problem.

    The root cause is the openflow rules calculation of the
    security group, it will unexpectedly allow all IP(4&6)
    traffic to get through.

    For openvswitch openflow firewall, this patch adds a source
    mac address match for the allowed-address-pair which has
    prefix lenght 0, that means all ethernet packets from this
    mac will be accepted. It exactly will meet the request of
    accepting any IP address from the configured VM.

    Test result shows that the remote security group and
    allowed address pair works:
    1. Port has 0.0.0.0/0 allowed-address-pair clould send any
       IP (src) packet out.
    2. Port has x.x.x.x/y allowed-address-pair could be accepted
       for those VMs under same security group.
    3. Ports under same network can reach each other (remote
       security group).
    4. Protocol port number could be accessed only when there
       has related rule.

    Closes-bug: #1867119
    Change-Id: I2e3aa7c400d7bb17cc117b65faaa160b41013dde
    (cherry picked from commit 00298fe6e84cd7610b39af50e9517885a182f47c)