yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1327959] Re: fwaas:firewall rule doesn't throw error when setting dest. ip address as network and took it as /32

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Elena Ezhova <eezhova@xxxxxxxxxxxx>
Date: Mon, 11 Aug 2014 16:00:20 -0000
Reply-to: Bug 1327959 <1327959@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Such source/destination ip addresses may be valid in case when network
prefix is less than 24 bits. I'd suggest marking this bug as invalid.

** Changed in: neutron
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1327959

Title:
  fwaas:firewall rule doesn't throw error when setting dest. ip address
  as network and took it as /32

Status in OpenStack Neutron (virtual network service):
  Invalid

Bug description:
  when creating firewall rule if destination/source ipaddress as 10.10.10.0, it doesnt throw error and took it as 10.10.10.0/32
  Steps to Reproduce: 
   
   
  create firewall rule with destination ip address as 10.10.10.0 

  Actual Results: 
  root@IGA-OSC:~# fwru re --source-ip-address 10.10.1.0 --destination-ip-address 10.10.2.0
  Updated firewall_rule: re
  root@IGA-OSC:~# fwrs re
  +------------------------+--------------------------------------+
  | Field                  | Value                                |
  +------------------------+--------------------------------------+
  | action                 | deny                                 |
  | description            |                                      |
  | destination_ip_address | 10.10.2.0                            |
  | destination_port       |                                      |
  | enabled                | True                                 |
  | firewall_policy_id     | 924d41cd-fad1-4ed4-9114-6dd704382bd3 |
  | id                     | ed8769fc-e4b7-4306-b8ca-95350c80ca22 |
  | ip_version             | 4                                    |
  | name                   | re                                   |
  | position               | 1                                    |
  | protocol               | icmp                                 |
  | shared                 | False                                |
  | source_ip_address      | 10.10.1.0                            |
  | source_port            |                                      |
  | tenant_id              | d9481c57a11c46eea62886938b5378a7     |
  +------------------------+--------------------------------------+
   
  In routers iptable-save output
   
   neutron-vpn-agen-iv47a808890 -s 10.10.1.0/32 -d 10.10.2.0/32 -p icmp -j DROP ------> it got the /32 as subnet for network which s invalid
  -A neutron-vpn-agen-iv47a808890 -d 10.10.10.25/32 -p icmp -j DROP
  -A neutron-vpn-agen-iv47a808890 -d 10.10.10.24/32 -p icmp -j DROP
  -A neutron-vpn-agen-iv47a808890 -s 192.52.1.3/32 -d 192.52.1.45/32 -p tcp -m tcp --dport 22:23 -j DROP
  -A neutron-vpn-agen-iv47a808890 -j ACCEPT
  -A neutron-vpn-agen-ov47a808890 -m state --state INVALID -j DROP
  -A neutron-vpn-agen-ov47a808890 -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-vpn-agen-ov47a808890 -s 10.10.1.0/32 -d 10.10.2.0/32 -p icmp -j DROP
  -A neutron-vpn-agen-ov47a808890 -d 10.10.10.25/32 -p icmp -j DROP
  -A neutron-vpn-agen-ov47a808890 -d 10.10.10.24/32 -p icmp -j DROP
  -A neutron-vpn-agen-ov47a808890 -s 192.52.1.3/32 -d 192.52.1.45/32 -p tcp -m tcp --dport 22:23 -j DROP
  -A neutron-vpn-agen-ov47a808890 -j ACCEPT
   
   
  Expected Results
  It should throw error specifying that the given ip address is network

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1327959/+subscriptions

References

[Bug 1327959] [NEW] fwaas:firewall rule doesn't throw error when setting dest. ip address as network and took it as /32
From: Rajkumar, 2014-06-09