yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2077596] [NEW] [rfe][fwaas] Add normalized_cidr column to firewall rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Liu Xie <2077596@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Aug 2024 06:24:12 -0000
Reply-to: Bug 2077596 <2077596@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

If we use an invalid CIDR as the source_ip_address, such as
2:3dc2:c893:514a:966b:7969:42b0:00900/108, it can still be successfully
submitted after creating a firewall rule. The main reason is that
netaddr formats this address.

The command is like:

openstack  firewall group rule create --ip-version 6 --source-ip-address
2:3dc2:c893:514a:966b:7969:42b0:00900/108

netaddr would format the CIDR address, and debugging shows:

>>> import netaddr
>>> ii=netaddr.IPNetwork('2:3dc2:c893:514a:966b:7969:42b0:00900/108')
>>> ii
IPNetwork('2:3dc2:c893:514a:966b:7969:42b0:900/108')
>>> ii.version
6

I found a similar issue for security groups, which has a good solution
to fix it[1] . Therefore, I think a fix is also needed for firewall
group rules.

[1]https://bugs.launchpad.net/neutron/+bug/1869129

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: fwaas

** Description changed:

  If we use an invalid CIDR as the source_ip_address, such as
  2:3dc2:c893:514a:966b:7969:42b0:00900/108, it can still be successfully
  submitted after creating a firewall rule. The main reason is that
  netaddr formats this address.
  
  The command is like:
  
  openstack  firewall group rule create --ip-version 6 --source-ip-address
  2:3dc2:c893:514a:966b:7969:42b0:00900/108
  
  netaddr would format the CIDR address, and debugging shows:
  
  >>> import netaddr
  >>> ii=netaddr.IPNetwork('2:3dc2:c893:514a:966b:7969:42b0:00900/108')
  >>> ii
  IPNetwork('2:3dc2:c893:514a:966b:7969:42b0:900/108')
  >>> ii.version
  6
  
  I found a similar issue for security groups, which has a good solution
- to fix it . Therefore, I think a fix is also needed for firewall group
- rules.
+ to fix it[1] . Therefore, I think a fix is also needed for firewall
+ group rules.
  
  [1]https://bugs.launchpad.net/neutron/+bug/1869129

** Tags added: fwaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2077596

Title:
  [rfe][fwaas] Add normalized_cidr column to firewall rules

Status in neutron:
  New

Bug description:
  If we use an invalid CIDR as the source_ip_address, such as
  2:3dc2:c893:514a:966b:7969:42b0:00900/108, it can still be
  successfully submitted after creating a firewall rule. The main reason
  is that netaddr formats this address.

  The command is like:

  openstack  firewall group rule create --ip-version 6 --source-ip-
  address 2:3dc2:c893:514a:966b:7969:42b0:00900/108

  netaddr would format the CIDR address, and debugging shows:

  >>> import netaddr
  >>> ii=netaddr.IPNetwork('2:3dc2:c893:514a:966b:7969:42b0:00900/108')
  >>> ii
  IPNetwork('2:3dc2:c893:514a:966b:7969:42b0:900/108')
  >>> ii.version
  6

  I found a similar issue for security groups, which has a good solution
  to fix it[1] . Therefore, I think a fix is also needed for firewall
  group rules.

  [1]https://bugs.launchpad.net/neutron/+bug/1869129

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2077596/+subscriptions