Authorizing ICMP w/o specifying types adds 1-65535/tcp and 1-65536/udp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Russell Bryant |
Bug Description
STR:
1. euca-add-group test-ports -d "test wrong ports"
2. euca-describe-
GROUP roman.yepishev_
3. euca-authorize -P icmp -o test-ports test-ports
4. euca-describe-
Expected response:
One added entry of
PERMISSION roman.yepishev_
Actual response:
PERMISSION roman.yepishev_
PERMISSION roman.yepishev_
PERMISSION roman.yepishev_
Please note that with udp range 1-65536 the virtual machines are unable to start, since this is invalid port range.
If -t -1:-1 is used instead, no additional permissions are granted.
affects: | glance → nova |
Changed in nova: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → essex-rc1 |
Changed in nova: | |
assignee: | nobody → Russell Bryant (russellb) |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in nova: | |
assignee: | Russell Bryant (russellb) → Vish Ishaya (vishvananda) |
Changed in nova: | |
assignee: | Vish Ishaya (vishvananda) → Russell Bryant (russellb) |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | essex-rc1 → 2012.1 |
Reviewed: https:/ /review. openstack. org/5041 github. com/openstack/ nova/commit/ ee0bb74cbcf5210 71965ccd63f8232 e8c434229d
Committed: http://
Submitter: Jenkins
Branch: master
commit ee0bb74cbcf5210 71965ccd63f8232 e8c434229d
Author: Russell Bryant <email address hidden>
Date: Wed Mar 7 15:03:35 2012 -0500
Fix issues with security group auths without ports.
Fix bug 946427.
There was a bug where a security group would get completely opened in
cases where only icmp, udp, or tcp should be opened. For example, any
of the following three commands would result in opening everything:
This patch resolves this and these commands now only open the protocol
that was specified. Unit tests have been added to verify the fix and
also verify that this only works when a source group is specified.
While the bug was originally reported against the EC2 API, the same
updates and similar unit tests have gone in to the equivalent code for
the OpenStack API.
Change-Id: I4c87c5f5f4ccee 60c6c16da4e659d 73ab3f4a34f