yahoo-eng-team team mailing list archive

[OpenStack Infra <1706229@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/487130
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2ec36dc812710c284b75498e695a44585484c6a1
Submitter: Jenkins
Branch:    master

commit 2ec36dc812710c284b75498e695a44585484c6a1
Author: Trevor McCasland <TM2086@xxxxxxx>
Date:   Tue Jul 25 08:44:08 2017 -0500

    Enforce ethertype with IPv6 integer protocols
    
    By extending the black list to include the integer representation
    for IPv6 we can succesfully block api requests to create security
    group rules for IPv6 protocols with ehtertype IPv4.
    
    Closes-Bug: #1706229
    Change-Id: I5abeff178b3be18f1e93d00d9d546147b11c1a74


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1706229

Title:
  security group: ipv6 protocol integer works in ipv4 ethertype

Status in neutron:
  Fix Released

Bug description:
  Creating a security group rule with ethertype IPv4 and an IPv6
  protocol integer succeeds when it should fail.

  1. create security group, 'mygroup'
  2. create security group rule --protocol 43 --ethertype IPv4 mygroup

  Expected output:
  ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup
  Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca)

  Actual output:
  ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol 43 --ethertype IPv4 mygroup
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | created_at        | 2017-07-25T00:34:46Z                 |
  | description       |                                      |
  | direction         | ingress                              |
  | ether_type        | IPv4                                 |
  | id                | 230d5bd4-4be5-4814-a80a-b8aa74d8f5d2 |
  | name              | None                                 |
  | port_range_max    | None                                 |
  | port_range_min    | None                                 |
  | project_id        | 4cdd24e0cfb54cf49aef2da436884a7a     |
  | protocol          | 43                                   |
  | remote_group_id   | None                                 |
  | remote_ip_prefix  | 0.0.0.0/0                            |
  | revision_number   | 0                                    |
  | security_group_id | 439a1eb6-37a6-45ff-adb6-87aa87e8b68c |
  | updated_at        | 2017-07-25T00:34:46Z                 |
  +-------------------+--------------------------------------+

  The problem is here neutron/db/securitygroups_db.py:
  if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP,
                                  constants.PROTO_NAME_IPV6_FRAG,
                                  constants.PROTO_NAME_IPV6_ICMP,
                                  constants.PROTO_NAME_IPV6_ICMP_LEGACY,
                                  constants.PROTO_NAME_IPV6_NONXT,
                                  constants.PROTO_NAME_IPV6_OPTS,
                                  constants.PROTO_NAME_IPV6_ROUTE]:
              if rule['ethertype'] == constants.IPv4:
                  raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
                          ethertype=rule['ethertype'], protocol=rule['protocol'])

  It should check for numbers and names from neutron_lib constants.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1706229/+subscriptions