yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1255338] Re: neutron allows security group rules with invalid cidrs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1255338@xxxxxxxxxxxxxxxxxx>
Date: Mon, 22 Sep 2014 21:33:54 -0000
Reply-to: Bug 1255338 <1255338@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Also affects: neutron/havana
   Importance: Undecided
       Status: New

** Changed in: neutron/havana
       Status: New => Fix Committed

** Changed in: neutron/havana
    Milestone: None => 2013.2.4

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1255338

Title:
  neutron allows security group rules with invalid cidrs

Status in OpenStack Neutron (virtual network service):
  Fix Released
Status in neutron havana series:
  Fix Committed
Status in neutron icehouse series:
  New

Bug description:
  Neutron is allowing security group rules having invalid CIDR values in
  the "remote_ip_prefix" parameter.

  Two examples illustrate the problem:
  $ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix badprefix e89783db-2c8c-43fd-927d-51ca66841a42
  Created a new security_group_rule:
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | direction         | ingress                              |
  | ethertype         | IPv4                                 |
  | id                | bdb49ccd-46d0-4090-902c-29412eed1d25 |
  | port_range_max    | 28069                                |
  | port_range_min    | 28060                                |
  | protocol          | tcp                                  |
  | remote_group_id   |                                      |
  | remote_ip_prefix  | badprefix                            |
  | security_group_id | e89783db-2c8c-43fd-927d-51ca66841a42 |
  | tenant_id         | e030326f884445a882dc5ac9991fcc76     |
  +-------------------+--------------------------------------+

  $ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix 10.11.12.0/33 e89783db-2c8c-43fd-927d-51ca66841a42
  Created a new security_group_rule:
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | direction         | ingress                              |
  | ethertype         | IPv4                                 |
  | id                | 72a7c232-410a-406a-9be0-d7ff9dc56b07 |
  | port_range_max    | 28069                                |
  | port_range_min    | 28060                                |
  | protocol          | tcp                                  |
  | remote_group_id   |                                      |
  | remote_ip_prefix  | 10.11.12.0/33                        |
  | security_group_id | e89783db-2c8c-43fd-927d-51ca66841a42 |
  | tenant_id         | e030326f884445a882dc5ac9991fcc76     |
  +-------------------+--------------------------------------+

  If I were to use the "nova secgroup-rule-add" command instead of the
  neutron commands, the nova api server returns errors to the python-
  novaclient for both cases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1255338/+subscriptions