yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61335
[Bug 1534113] Re: default sg could add same rule as original egress ipv4 rule
Reviewed: https://review.openstack.org/331416
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=785656744a6883b22972da0d867b36b699d6b15c
Submitter: Jenkins
Branch: master
commit 785656744a6883b22972da0d867b36b699d6b15c
Author: yujie <yujie@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Jul 7 12:49:34 2016 +0800
Fix duplicated sg rules check for remote_ip_prefix
Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or
::/0 for ipv6 plays the same role as the sg rules without setting
remote_ip_prefix. We could treat them as duplicate.
Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1
Closes-Bug: #1534113
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1534113
Title:
default sg could add same rule as original egress ipv4 rule
Status in neutron:
Fix Released
Bug description:
In default securitygroup, we could add a rule in default same as the
original egress ipv4 rule.
Reproduce step:
# neutron security-group-rule-create --direction egress --remote-ip-prefix 0.0.0.0/0 default
It returns:
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | egress |
| ethertype | IPv4 |
| id | d8f968e2-270b-4d6e-a2d0-a408726b7edc |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 9a2c0d86-4a36-46d4-a4da-43a239003eef |
| tenant_id | 52953da91c0e47528d5317867391aaec |
+-------------------+--------------------------------------+
Actually we expect that "Security group rule already exists. Rule id
is xxxxx".
UPDATE( Same as #4 ):
Comment #3 makes a mistake. The description above seems related to --remote-ip-prefix.
1. Create sg-rule rule1 setting no --remote-ip-prefix.
# neutron security-group-rule-create --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
2. Create sg-rule rule2 same as rule1 except that --remote-ip-prefix 0.0.0.0/0.
# neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
Both rules could create successfully.
In dashboard, the two rules looks the same.
Using neutronclient show them:
rule1:
+--------------------------------+------------------------------+
| Field | Value |
+--------------------------------+------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | 58999af2-266a-422f-9b41-c38b69bb72ef |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | |
| security_group_id | 0aced031-542f-40f0-87d7-d20dfc6b0ea2 |
| tenant_id | 60f2bf725b0046ef9e2c470b528a25f6 |
+--------------------------------+------------------------------+
rule2:
+--------------------------------+----------------------------+
| Field | Value |
+--------------------------------+----------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | dbaed060-2c94-44df-b0b9-6852c6d3ed0e |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 0aced031-542f-40f0-87d7-d20dfc6b0ea2 |
| tenant_id | 60f2bf725b0046ef9e2c470b528a25f6 |
+--------------------------------+----------------------------+
When create instance using this sg, in iptables the two sg rules only
convert to one rule in neutron-openvswi-ixxxxx.
So when check duplicate rules we should take more effort to treat
rule1 and rule2 as the same.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534113/+subscriptions
References
