yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2074056] Re: Invalid documented security group rule protocol "any"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Pierre Prinetti <2074056@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Jul 2024 08:30:50 -0000
Reply-to: Bug 2074056 <2074056@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Also affects: neutron
   Importance: Undecided
       Status: New

** No longer affects: ansible-collections-openstack

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2074056

Title:
  Invalid documented security group rule protocol "any"

Status in neutron:
  New

Bug description:
  The Networking API specification v2.0 for security group rule
  creation[1] states that:

  > The string any (or integer 0) means all IP protocols.

  However, attempting to create a security group rule with protocol
  "any" results in a 400 Bad Request:

  ```
  curl -g -i -X POST \
          'https://neutron.example:13696/v2.0/security-group-rules' \
          -H "Content-Type: application/json" \
          -H "X-Auth-Token: valid-token" \
          -d '{"security_group_rule": {"ethertype": "IPv4", "security_group_id": "f2746bac-1c1f-42b6-8791-fc1b1448fa0e", "remote_ip_prefix": "0.0.0.0/0", "direction": "ingress", "protocol": "any"}}'

  HTTP/1.1 400 Bad Request
  content-type: application/json
  content-length: 450
  x-openstack-request-id: req-a2d167b4-5d7f-4bf3-9c60-7823b2122efc
  date: Thu, 25 Jul 2024 08:11:49 GMT

  {"NeutronError": {"type": "SecurityGroupRuleInvalidProtocol", "message": "Security group rule protocol any not supported. Only protocol values [None, 'ah', 'dccp', 'egp', 'esp', 'gre', 'hopopt', 'icmp', 'igmp', 'ip', 'ipip', 'ipv6-encap', 'ipv6-frag', 'ipv6-icmp', 'icmpv6', 'ipv6-nonxt', 'ipv6-opts', 'ipv6-route', 'ospf', 'pgm', 'rsvp', 'sctp', 'tcp', 'udp', 'udplite', 'vrrp'] and integer representations [0 to 255] are supported.", "detail": ""}}
  ```

  Tested on RHOSP 17.1, which is based on Wallaby according to its
  docs[2].

  Additionally, while testing alternatives, I was surprised that
  `"protocol":0` and `"protocol":null` seemed to create different rules,
  as I was able to create them both on a single group without conflict.
  Do they also behave differently?

  So my question is: what is the correct way of creating a security
  group rule that applies regardless of the protocol?

  
  [1]: https://docs.openstack.org/api-ref/network/v2/#create-security-group-rule
  [2]: https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/release_notes/chap-introduction#about-this-release_relnotes-intro

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2074056/+subscriptions