yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94738
[Bug 2074056] Re: Invalid documented security group rule protocol "any"
Reviewed: https://review.opendev.org/c/openstack/neutron/+/926498
Committed: https://opendev.org/openstack/neutron/commit/81375f0b2be1727e2223393562b309f23ae4fa49
Submitter: "Zuul (22348)"
Branch: master
commit 81375f0b2be1727e2223393562b309f23ae4fa49
Author: Brian Haley <haleyb.dev@xxxxxxxxx>
Date: Sat Aug 17 19:37:36 2024 -0400
Add special treatment for 'any' in SG rule API
The openstack client changes the protocol to None in
the case that 'any' is given as an argument when creating
a security group rule. But using 'any' in a POST call
will return an error saying it is invalid.
Add special treatment for 'any' as a protocol value in
the API by treating it the same as None, but do not
use the 'any' string when creating the DB entry, it is
only treated as an alias.
Closes-bug: #2074056
Change-Id: Ic88ae2c249eb2cd1af1ebbf6707c707f51a52638
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2074056
Title:
Invalid documented security group rule protocol "any"
Status in neutron:
Fix Released
Bug description:
The Networking API specification v2.0 for security group rule
creation[1] states that:
> The string any (or integer 0) means all IP protocols.
However, attempting to create a security group rule with protocol
"any" results in a 400 Bad Request:
```
curl -g -i -X POST \
'https://neutron.example:13696/v2.0/security-group-rules' \
-H "Content-Type: application/json" \
-H "X-Auth-Token: valid-token" \
-d '{"security_group_rule": {"ethertype": "IPv4", "security_group_id": "f2746bac-1c1f-42b6-8791-fc1b1448fa0e", "remote_ip_prefix": "0.0.0.0/0", "direction": "ingress", "protocol": "any"}}'
HTTP/1.1 400 Bad Request
content-type: application/json
content-length: 450
x-openstack-request-id: req-a2d167b4-5d7f-4bf3-9c60-7823b2122efc
date: Thu, 25 Jul 2024 08:11:49 GMT
{"NeutronError": {"type": "SecurityGroupRuleInvalidProtocol", "message": "Security group rule protocol any not supported. Only protocol values [None, 'ah', 'dccp', 'egp', 'esp', 'gre', 'hopopt', 'icmp', 'igmp', 'ip', 'ipip', 'ipv6-encap', 'ipv6-frag', 'ipv6-icmp', 'icmpv6', 'ipv6-nonxt', 'ipv6-opts', 'ipv6-route', 'ospf', 'pgm', 'rsvp', 'sctp', 'tcp', 'udp', 'udplite', 'vrrp'] and integer representations [0 to 255] are supported.", "detail": ""}}
```
Tested on RHOSP 17.1, which is based on Wallaby according to its
docs[2].
There appear to be multiple ways to create security group rules that apply regardless of the protocol:
- protocol value set to number zero or string zero: `"protocol": 0` `"protocol": "0"`
- protocol value set to null or unset: `"protocol": null`
- protocol value set to the empty string: `"protocol": ""`
I have grouped them by how they conflict. In other words: you can have
a security group containing three of these rules (zero, null, empty)
that won't conflict with each other at creation.
My questions:
- These three "protocol" values are stored differently. Do they behave exactly the same?
- Is there a preferred way to create a rule that applies to any protocol?
- Is the documentation effectively wrong about the value "any", or am I missing something?
Thank you.
[1]: https://docs.openstack.org/api-ref/network/v2/#create-security-group-rule
[2]: https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/release_notes/chap-introduction#about-this-release_relnotes-intro
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2074056/+subscriptions
