yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #66042
[Bug 1706229] [NEW] security group: ipv6 protocol integer works in ipv4 ethertype
Public bug reported:
Creating a security group rule with ethertype IPv4 and an IPv6 protocol
integer succeeds when it should fail.
1. create security group, 'mygroup'
2. create security group rule --protocol 43 --ethertype IPv4 mygroup
Expected output:
ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup
Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca)
Actual output:
ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol 43 --ethertype IPv4 mygroup
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2017-07-25T00:34:46Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | 230d5bd4-4be5-4814-a80a-b8aa74d8f5d2 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 4cdd24e0cfb54cf49aef2da436884a7a |
| protocol | 43 |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 439a1eb6-37a6-45ff-adb6-87aa87e8b68c |
| updated_at | 2017-07-25T00:34:46Z |
+-------------------+--------------------------------------+
The problem is here neutron/db/securitygroups_db.py:
if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP,
constants.PROTO_NAME_IPV6_FRAG,
constants.PROTO_NAME_IPV6_ICMP,
constants.PROTO_NAME_IPV6_ICMP_LEGACY,
constants.PROTO_NAME_IPV6_NONXT,
constants.PROTO_NAME_IPV6_OPTS,
constants.PROTO_NAME_IPV6_ROUTE]:
if rule['ethertype'] == constants.IPv4:
raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
ethertype=rule['ethertype'], protocol=rule['protocol'])
It should check for numbers and names from neutron_lib constants.
** Affects: neutron
Importance: Undecided
Assignee: Trevor McCasland (twm2016)
Status: New
** Changed in: neutron
Assignee: (unassigned) => Trevor McCasland (twm2016)
** Description changed:
Creating a security group rule with ethertype IPv4 and an IPv6 protocol
- integer, see .
+ integer succeeds when it should fail.
1. create security group, 'mygroup'
2. create security group rule --protocol 43 --ethertype IPv4 mygroup
Expected output:
ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup
Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca)
Actual output:
ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol 43 --ethertype IPv4 mygroup
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2017-07-25T00:34:46Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | 230d5bd4-4be5-4814-a80a-b8aa74d8f5d2 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 4cdd24e0cfb54cf49aef2da436884a7a |
| protocol | 43 |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 439a1eb6-37a6-45ff-adb6-87aa87e8b68c |
| updated_at | 2017-07-25T00:34:46Z |
+-------------------+--------------------------------------+
-
The problem is here neutron/db/securitygroups_db.py:
if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP,
- constants.PROTO_NAME_IPV6_FRAG,
- constants.PROTO_NAME_IPV6_ICMP,
- constants.PROTO_NAME_IPV6_ICMP_LEGACY,
- constants.PROTO_NAME_IPV6_NONXT,
- constants.PROTO_NAME_IPV6_OPTS,
- constants.PROTO_NAME_IPV6_ROUTE]:
- if rule['ethertype'] == constants.IPv4:
- raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
- ethertype=rule['ethertype'], protocol=rule['protocol'])
-
+ constants.PROTO_NAME_IPV6_FRAG,
+ constants.PROTO_NAME_IPV6_ICMP,
+ constants.PROTO_NAME_IPV6_ICMP_LEGACY,
+ constants.PROTO_NAME_IPV6_NONXT,
+ constants.PROTO_NAME_IPV6_OPTS,
+ constants.PROTO_NAME_IPV6_ROUTE]:
+ if rule['ethertype'] == constants.IPv4:
+ raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
+ ethertype=rule['ethertype'], protocol=rule['protocol'])
It should check for numbers and names from neutron_lib constants.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1706229
Title:
security group: ipv6 protocol integer works in ipv4 ethertype
Status in neutron:
New
Bug description:
Creating a security group rule with ethertype IPv4 and an IPv6
protocol integer succeeds when it should fail.
1. create security group, 'mygroup'
2. create security group rule --protocol 43 --ethertype IPv4 mygroup
Expected output:
ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup
Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca)
Actual output:
ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol 43 --ethertype IPv4 mygroup
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2017-07-25T00:34:46Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | 230d5bd4-4be5-4814-a80a-b8aa74d8f5d2 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 4cdd24e0cfb54cf49aef2da436884a7a |
| protocol | 43 |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 439a1eb6-37a6-45ff-adb6-87aa87e8b68c |
| updated_at | 2017-07-25T00:34:46Z |
+-------------------+--------------------------------------+
The problem is here neutron/db/securitygroups_db.py:
if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP,
constants.PROTO_NAME_IPV6_FRAG,
constants.PROTO_NAME_IPV6_ICMP,
constants.PROTO_NAME_IPV6_ICMP_LEGACY,
constants.PROTO_NAME_IPV6_NONXT,
constants.PROTO_NAME_IPV6_OPTS,
constants.PROTO_NAME_IPV6_ROUTE]:
if rule['ethertype'] == constants.IPv4:
raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
ethertype=rule['ethertype'], protocol=rule['protocol'])
It should check for numbers and names from neutron_lib constants.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1706229/+subscriptions
Follow ups
