yahoo-eng-team team mailing list archive

Thread
Date

[Bug 985184] Re: Security groups fail to be set correctly if incorrect case is used for protocol specification

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Mon, 15 Sep 2014 15:40:14 -0000
Reply-to: Bug 985184 <985184@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** No longer affects: nova/diablo

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/985184

Title:
  Security groups fail to be set correctly if incorrect case is used for
  protocol specification

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) essex series:
  Fix Released
Status in “nova” package in Ubuntu:
  Fix Released
Status in “nova” source package in Precise:
  Fix Released

Bug description:
  The high level issue is that if a security group rule is specified
  with the protocol in uppercase (e.g. TCP instead of tcp) on a system
  using the IpTablesFirewallDriver then the security group rules may
  fail to be properly applied, leading to security groups that are more
  open than specified.

  The detail of the issue is as follows (Described from the OSAPI
  perspective, but the problem also exists on EC2)

  
  When a security group rule is specified with the protocol in upper case it is validated (contrig/security_groups.py: _rule_args_to_dict() regardless of case but stored in the database in the supplied case:
      if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
                  raise exception.InvalidIpProtocol(protocol=ip_protocol)

    …
     
    values['protocol'] = ip_protocol

  
  When the security group refresh is triggered (virt/firewall.py – instance_rules() the protocol check is case sensitive:

                  if protocol in ['udp', 'tcp']:
                      args += self._build_tcp_udp_rule(rule, version)
                  elif protocol == 'icmp':
                      args += self._build_icmp_rule(rule, version)
                  if rule.cidr:
                      LOG.info('Using cidr %r', rule.cidr)
                      args += ['-s', rule.cidr]
                      fw_rules += [' '.join(args)]

  Because the protocol doesn’t match ‘udp’ or ‘tcp’ the protocol part of
  the rule is skipped, leading to an incomplete and invalid  iptables
  command line.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/985184/+subscriptions