OpenStack Compute (nova)

Authorizing ICMP w/o specifying types adds 1-65535/tcp and 1-65536/udp

Bug #946427 reported by Roman Yepishev on 2012-03-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Russell Bryant	OpenStack Compute (nova) 2012.1 "essex"

Bug Description

STR:

1. euca-add-group test-ports -d "test wrong ports"
2. euca-describe-groups
GROUP roman.yepishev_project test-ports test wrong ports

3. euca-authorize -P icmp -o test-ports test-ports
4. euca-describe-groups

Expected response:
One added entry of
PERMISSION roman.yepishev_project test-ports ALLOWS icmp -1 -1 GRPNAME test-ports

Actual response:
PERMISSION roman.yepishev_project test-ports ALLOWS icmp -1 -1 GRPNAME test-ports
PERMISSION roman.yepishev_project test-ports ALLOWS tcp 1 65535 GRPNAME test-ports
PERMISSION roman.yepishev_project test-ports ALLOWS udp 1 65536 GRPNAME test-ports

Please note that with udp range 1-65536 the virtual machines are unable to start, since this is invalid port range.

If -t -1:-1 is used instead, no additional permissions are granted.

Roman Yepishev (rye) on 2012-03-04

affects:

glance → nova

Vish Ishaya (vishvananda) on 2012-03-04

Changed in nova:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → essex-rc1

Russell Bryant (russellb) on 2012-03-06

Changed in nova:
assignee:	nobody → Russell Bryant (russellb)

OpenStack Infra (hudson-openstack) on 2012-03-07

Changed in nova:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2012-03-10

Changed in nova:
assignee:	Russell Bryant (russellb) → Vish Ishaya (vishvananda)

Vish Ishaya (vishvananda) on 2012-03-10

Changed in nova:
assignee:	Vish Ishaya (vishvananda) → Russell Bryant (russellb)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-10: Fix merged to nova (master)

Reviewed: https://review.openstack.org/5041
Committed: http://github.com/openstack/nova/commit/ee0bb74cbcf521071965ccd63f8232e8c434229d
Submitter: Jenkins
Branch: master

commit ee0bb74cbcf521071965ccd63f8232e8c434229d
Author: Russell Bryant <email address hidden>
Date: Wed Mar 7 15:03:35 2012 -0500

Fix issues with security group auths without ports.

Fix bug 946427.

    There was a bug where a security group would get completely opened in
    cases where only icmp, udp, or tcp should be opened. For example, any
    of the following three commands would result in opening everything:

        euca-authorize -P icmp -o test-ports test-ports
        euca-authorize -P tcp -o test-ports test-ports
        euca-authorize -P udp -o test-ports test-ports

    This patch resolves this and these commands now only open the protocol
    that was specified. Unit tests have been added to verify the fix and
    also verify that this only works when a source group is specified.
    While the bug was originally reported against the EC2 API, the same
    updates and similar unit tests have gone in to the equivalent code for
    the OpenStack API.

Change-Id: I4c87c5f5f4ccee60c6c16da4e659d73ab3f4a34f

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-03-20

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in nova:
milestone:	essex-rc1 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.