yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32240
[Bug 1447435] [NEW] FWaaS - Missing port-range validation for firewall-rule
Public bug reported:
When we create/update firewall-rule, the port_range validation doesn't
exist.
[Problem]
When we create firewall with firewall-policy which is including following firewall-rules, the firewall has created.
But the status is still "PENDING_CREATE" and error is logged in l3-agent.log while inserting firewall-rules into iptables.
(Please see 'Error in l3-agent.log')
[req_body when create firewall-rule]
** The POINT is reversing "min_port" and "max_port" of
"source_port" or "destination_port" **
{
"firewall_rule":
{
"name": "my_rule",
"action": "deny",
"protocol": "tcp",
"source_port": "20000:100"
}
}
[Error in l3-agent.log]
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00', 'iptables-restore', '-c']
Exit code: 2
Stdout: ''
Stderr: "iptables-restore v1.4.21: invalid portrange (min > max)\nError occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
ERROR neutron.agent.linux.iptables_manager [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] IPTablesManager.apply failed to apply the following set of iptables rules:
1. # Generated by iptables-save v1.4.21 on Thu Apr 23 12:08:55 2015
...(abbr)...
35. [0:0] -A neutron-l3-agent-iv4edfbec43 -p tcp --sport 20000:100 -j DROP
36. [0:0] -A neutron-l3-agent-ov4edfbec43 -p tcp --sport 20000:100 -j DROP
...(abbr)...
68. :INPUT ACCEPT [0:0]
ERROR neutron.services.firewall.drivers.linux.iptables_fwaas [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Failed to create firewall: edfbec43-870e-43cb-80ed-0c4bb162fe18
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Traceback (most recent call last):
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py", line 56, in create_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas self._setup_firewall(agent_mode, apply_list, firewall)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py", line 164, in _setup_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas ipt_mgr.defer_apply_off()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 373, in defer_apply_off
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas self._apply()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 389, in _apply
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas return self._apply_synchronized()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 444, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas '\n'.join(log_lines))
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/openstack/common/excutils.py", line 82, in __exit__
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas six.reraise(self.type_, self.value, self.tb)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 423, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas root_helper=self.root_helper)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 84, in execute
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas raise RuntimeError(m)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas RuntimeError:
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00', 'iptables-restore', '-c']
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Exit code: 2
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stdout: ''
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stderr: "iptables-restore v1.4.21: invalid portrange (min > max)\nError occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
ERROR neutron.services.firewall.agents.l3reference.firewall_l3_agent [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Firewall Driver Error for create_firewall for fw: edfbec43-870e-43cb-80ed-0c4bb162fe18
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None]
** Affects: neutron
Importance: Undecided
Assignee: Yushiro FURUKAWA (y-furukawa-2)
Status: In Progress
** Description changed:
- When we create/update firewall-rule, the port_range validation doesn't exist.
- * A POINT is reversing "min_port" and "max_port" of "source_port" or "destination_port"
- ex. "source_port: 100:1" or "destination_port: 65535:1000"
+ When we create/update firewall-rule, the port_range validation doesn't
+ exist.
[Problem]
- When we create firewall with firewall-policy which is including following firewall-rules, the firewall has created.
- But the status is still "PENDING_CREATE" and error is logged in l3-agent.log while inserting firewall-rules into iptables.
- (Please see 'Error in l3-agent.log')
+ When we create firewall with firewall-policy which is including following firewall-rules, the firewall has created.
+ But the status is still "PENDING_CREATE" and error is logged in l3-agent.log while inserting firewall-rules into iptables.
+ (Please see 'Error in l3-agent.log')
[req_body when create firewall-rule]
- {
- "firewall_rule":
- {
- "name": "my_rule",
- "action": "deny",
- "protocol": "tcp",
- "source_port": "1000:10" ** The POINT is reversing "min_port" and "max_port" of "source_port" or "destination_port" **
- }
- }
+ ** The POINT is reversing "min_port" and "max_port" of
+ "source_port" or "destination_port" **
+ {
+ "firewall_rule":
+ {
+ "name": "my_rule",
+ "action": "deny",
+ "protocol": "tcp",
+ "source_port": "1000:10"
+ }
+ }
[Error in l3-agent.log]
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00', 'iptables-restore', '-c']
Exit code: 2
Stdout: ''
Stderr: "iptables-restore v1.4.21: invalid portrange (min > max)\nError occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
ERROR neutron.agent.linux.iptables_manager [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] IPTablesManager.apply failed to apply the following set of iptables rules:
- 1. # Generated by iptables-save v1.4.21 on Thu Apr 23 12:08:55 2015
- ...(abbr)...
- 35. [0:0] -A neutron-l3-agent-iv4edfbec43 -p tcp --sport 20000:100 -j DROP
- 36. [0:0] -A neutron-l3-agent-ov4edfbec43 -p tcp --sport 20000:100 -j DROP
- ...(abbr)...
- 68. :INPUT ACCEPT [0:0]
+ 1. # Generated by iptables-save v1.4.21 on Thu Apr 23 12:08:55 2015
+ ...(abbr)...
+ 35. [0:0] -A neutron-l3-agent-iv4edfbec43 -p tcp --sport 20000:100 -j DROP
+ 36. [0:0] -A neutron-l3-agent-ov4edfbec43 -p tcp --sport 20000:100 -j DROP
+ ...(abbr)...
+ 68. :INPUT ACCEPT [0:0]
ERROR neutron.services.firewall.drivers.linux.iptables_fwaas [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Failed to create firewall: edfbec43-870e-43cb-80ed-0c4bb162fe18
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Traceback (most recent call last):
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py", line 56, in create_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas self._setup_firewall(agent_mode, apply_list, firewall)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py", line 164, in _setup_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas ipt_mgr.defer_apply_off()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 373, in defer_apply_off
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas self._apply()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 389, in _apply
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas return self._apply_synchronized()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 444, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas '\n'.join(log_lines))
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/openstack/common/excutils.py", line 82, in __exit__
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas six.reraise(self.type_, self.value, self.tb)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 423, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas root_helper=self.root_helper)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 84, in execute
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas raise RuntimeError(m)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas RuntimeError:
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00', 'iptables-restore', '-c']
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Exit code: 2
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stdout: ''
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stderr: "iptables-restore v1.4.21: invalid portrange (min > max)\nError occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
ERROR neutron.services.firewall.agents.l3reference.firewall_l3_agent [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Firewall Driver Error for create_firewall for fw: edfbec43-870e-43cb-80ed-0c4bb162fe18
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None]
** Changed in: neutron
Assignee: (unassigned) => Yushiro FURUKAWA (y-furukawa-2)
** Changed in: neutron
Status: New => In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1447435
Title:
FWaaS - Missing port-range validation for firewall-rule
Status in OpenStack Neutron (virtual network service):
In Progress
Bug description:
When we create/update firewall-rule, the port_range validation
doesn't exist.
[Problem]
When we create firewall with firewall-policy which is including following firewall-rules, the firewall has created.
But the status is still "PENDING_CREATE" and error is logged in l3-agent.log while inserting firewall-rules into iptables.
(Please see 'Error in l3-agent.log')
[req_body when create firewall-rule]
** The POINT is reversing "min_port" and "max_port" of
"source_port" or "destination_port" **
{
"firewall_rule":
{
"name": "my_rule",
"action": "deny",
"protocol": "tcp",
"source_port": "20000:100"
}
}
[Error in l3-agent.log]
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00', 'iptables-restore', '-c']
Exit code: 2
Stdout: ''
Stderr: "iptables-restore v1.4.21: invalid portrange (min > max)\nError occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
ERROR neutron.agent.linux.iptables_manager [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] IPTablesManager.apply failed to apply the following set of iptables rules:
1. # Generated by iptables-save v1.4.21 on Thu Apr 23 12:08:55 2015
...(abbr)...
35. [0:0] -A neutron-l3-agent-iv4edfbec43 -p tcp --sport 20000:100 -j DROP
36. [0:0] -A neutron-l3-agent-ov4edfbec43 -p tcp --sport 20000:100 -j DROP
...(abbr)...
68. :INPUT ACCEPT [0:0]
ERROR neutron.services.firewall.drivers.linux.iptables_fwaas [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Failed to create firewall: edfbec43-870e-43cb-80ed-0c4bb162fe18
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Traceback (most recent call last):
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py", line 56, in create_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas self._setup_firewall(agent_mode, apply_list, firewall)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py", line 164, in _setup_firewall
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas ipt_mgr.defer_apply_off()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 373, in defer_apply_off
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas self._apply()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 389, in _apply
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas return self._apply_synchronized()
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 444, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas '\n'.join(log_lines))
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/openstack/common/excutils.py", line 82, in __exit__
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas six.reraise(self.type_, self.value, self.tb)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 423, in _apply_synchronized
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas root_helper=self.root_helper)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 84, in execute
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas raise RuntimeError(m)
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas RuntimeError:
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-9e881ef8-aac9-481b-9591-382a284c9e00', 'iptables-restore', '-c']
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Exit code: 2
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stdout: ''
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas Stderr: "iptables-restore v1.4.21: invalid portrange (min > max)\nError occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
TRACE neutron.services.firewall.drivers.linux.iptables_fwaas
ERROR neutron.services.firewall.agents.l3reference.firewall_l3_agent [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None] Firewall Driver Error for create_firewall for fw: edfbec43-870e-43cb-80ed-0c4bb162fe18
ERROR neutron.agent.linux.utils [req-ee3cda2d-0c25-47a1-913e-8bfbd8c052a1 None]
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1447435/+subscriptions
Follow ups
References
