Comment 13 for bug 1867119

Reviewed: https://review.opendev.org/744133
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=551130e9f4e8c89821d73881ad8e90a0208adb3e
Submitter: Zuul
Branch: stable/train

commit 551130e9f4e8c89821d73881ad8e90a0208adb3e
Author: LIU Yulong <email address hidden>
Date: Fri Mar 13 18:18:04 2020 +0800

    [Security] fix allowed-address-pair 0.0.0.0/0 issue

    When add allowed-address-pair 0.0.0.0/0 to one port, it will
    unexpectedly open all others' protocol under same security
    group. IPv6 has the same problem.

    The root cause is the openflow rules calculation of the
    security group, it will unexpectedly allow all IP(4&6)
    traffic to get through.

    For openvswitch openflow firewall, this patch adds a source
    mac address match for the allowed-address-pair which has
    prefix lenght 0, that means all ethernet packets from this
    mac will be accepted. It exactly will meet the request of
    accepting any IP address from the configured VM.

    Test result shows that the remote security group and
    allowed address pair works:
    1. Port has 0.0.0.0/0 allowed-address-pair clould send any
       IP (src) packet out.
    2. Port has x.x.x.x/y allowed-address-pair could be accepted
       for those VMs under same security group.
    3. Ports under same network can reach each other (remote
       security group).
    4. Protocol port number could be accessed only when there
       has related rule.

    Closes-bug: #1867119
    Change-Id: I2e3aa7c400d7bb17cc117b65faaa160b41013dde
    (cherry picked from commit 00298fe6e84cd7610b39af50e9517885a182f47c)