neutron

security-group-rule-create returns 500 on bad input

Bug #1213293 reported by Armando Migliaccio on 2013-08-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Armando Migliaccio	neutron 2013.2 "havana"

Bug Description

When trying to create a security group rule like so:

neutron security-group-rule-create test --protocol 43 --port-range-min 43

You get:

Request Failed: internal server error while processing your request.

Server stack-trace reports:

2013-08-16 18:11:56.896 18344 ERROR NVPApiHelper [-] Received error code: 400
2013-08-16 18:11:56.896 18344 ERROR NVPApiHelper [-] Server Error Message: Port values valid for TCP/UDP/ICMP/ICMPv6 only
2013-08-16 18:11:56.898 18344 ERROR neutron.api.v2.resource [-] create failed
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource Traceback (most recent call last):
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 84, in resource
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource result = method(request=request, **args)
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 405, in create
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource obj = obj_creator(request.context, **kwargs)
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/plugins/nicira/NeutronPlugin.py", line 2099, in create_security_group_rule
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource return self.create_security_group_rule_bulk(context, bulk_rule)[0]
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/plugins/nicira/NeutronPlugin.py", line 2130, in create_security_group_rule_bulk
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource combined_rules)
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/plugins/nicira/nvplib.py", line 1023, in update_security_group_rules
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource rsp = do_request(HTTP_PUT, path, body, cluster=cluster)
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/plugins/nicira/nvplib.py", line 949, in do_request
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource res = cluster.api_client.request(*args)
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/plugins/nicira/NvpApiClient.py", line 150, in request
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource self.error_codes[status](self)
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/plugins/nicira/NvpApiClient.py", line 190, in zero
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource raise NvpApiException()
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource NvpApiException: An unknown exception occurred.
2013-08-16 18:11:56.898 18344 TRACE neutron.api.v2.resource

And in a nutshell:

Port values valid for TCP/UDP/ICMP/ICMPv6 only

We should raise BadRequest instead.

Tags:

Armando Migliaccio (armando-migliaccio) on 2013-08-17

Changed in neutron:
assignee:	nobody → Armando Migliaccio (armando-migliaccio)

OpenStack Infra (hudson-openstack) on 2013-08-22

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-01: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/43211
Committed: http://github.com/openstack/neutron/commit/a8c064ed322bf92a867a42b99a5b94cfef137a3d
Submitter: Jenkins
Branch: master

commit a8c064ed322bf92a867a42b99a5b94cfef137a3d
Author: armando-migliaccio <email address hidden>
Date: Tue Aug 20 16:51:29 2013 -0700

Fix 500 error on invalid security-group-rule creation for NVP

    Validate that, when creating rules specifying a protocol different
    from TCP, UDP, ICMP and ICMPv6, no port (range) is specified because
    NVP does not like it.

    The extra validation is specific to the NVP plugin because other
    plugins may choose a different failure mode. For example, the ovs
    plugin does not complain at all, but it just ignores the port range
    if the protocol is not a port-oriented one.

Fixes bug #1213293

Change-Id: I46e9032b5cf7f7d88b9d05c3bf020784b04217d9

Changed in neutron:
status:	In Progress → Fix Committed

Mark McClain (markmcclain) on 2013-09-05

Changed in neutron:
importance:	Undecided → Medium
milestone:	none → havana-3

Thierry Carrez (ttx) on 2013-09-05

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in neutron:
milestone:	havana-3 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.