neutron

Bug #1255338
Activity log

Activity log for bug #1255338

Date	Who	What changed	Old value	New value	Message
2013-11-26 22:50:38	Stephen Ma	bug			added bug
2013-11-26 22:56:14	Stephen Ma	description	Neutron is allowing security group rules having invalid CIDR values in the "remote_ip_prefix" parameter. Two examples illustrates the problem: $ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix badprefix e89783db-2c8c-43fd-927d-51ca66841a42 Created a new security_group_rule: +-------------------+--------------------------------------+ \| Field \| Value \| +-------------------+--------------------------------------+ \| direction \| ingress \| \| ethertype \| IPv4 \| \| id \| bdb49ccd-46d0-4090-902c-29412eed1d25 \| \| port_range_max \| 28069 \| \| port_range_min \| 28060 \| \| protocol \| tcp \| \| remote_group_id \| \| \| remote_ip_prefix \| badprefix \| \| security_group_id \| e89783db-2c8c-43fd-927d-51ca66841a42 \| \| tenant_id \| e030326f884445a882dc5ac9991fcc76 \| +-------------------+--------------------------------------+ $ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix 10.11.12.0/33 e89783db-2c8c-43fd-927d-51ca66841a42 Created a new security_group_rule: +-------------------+--------------------------------------+ \| Field \| Value \| +-------------------+--------------------------------------+ \| direction \| ingress \| \| ethertype \| IPv4 \| \| id \| 72a7c232-410a-406a-9be0-d7ff9dc56b07 \| \| port_range_max \| 28069 \| \| port_range_min \| 28060 \| \| protocol \| tcp \| \| remote_group_id \| \| \| remote_ip_prefix \| 10.11.12.0/33 \| \| security_group_id \| e89783db-2c8c-43fd-927d-51ca66841a42 \| \| tenant_id \| e030326f884445a882dc5ac9991fcc76 \| +-------------------+--------------------------------------+ If I were to use the "nova secgroup-rule-add" instead of the neutron commands, the nova api server returns errors to the python-novaclient for both cases.	Neutron is allowing security group rules having invalid CIDR values in the "remote_ip_prefix" parameter. Two examples illustrate the problem: $ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix badprefix e89783db-2c8c-43fd-927d-51ca66841a42 Created a new security_group_rule: +-------------------+--------------------------------------+ \| Field \| Value \| +-------------------+--------------------------------------+ \| direction \| ingress \| \| ethertype \| IPv4 \| \| id \| bdb49ccd-46d0-4090-902c-29412eed1d25 \| \| port_range_max \| 28069 \| \| port_range_min \| 28060 \| \| protocol \| tcp \| \| remote_group_id \| \| \| remote_ip_prefix \| badprefix \| \| security_group_id \| e89783db-2c8c-43fd-927d-51ca66841a42 \| \| tenant_id \| e030326f884445a882dc5ac9991fcc76 \| +-------------------+--------------------------------------+ $ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix 10.11.12.0/33 e89783db-2c8c-43fd-927d-51ca66841a42 Created a new security_group_rule: +-------------------+--------------------------------------+ \| Field \| Value \| +-------------------+--------------------------------------+ \| direction \| ingress \| \| ethertype \| IPv4 \| \| id \| 72a7c232-410a-406a-9be0-d7ff9dc56b07 \| \| port_range_max \| 28069 \| \| port_range_min \| 28060 \| \| protocol \| tcp \| \| remote_group_id \| \| \| remote_ip_prefix \| 10.11.12.0/33 \| \| security_group_id \| e89783db-2c8c-43fd-927d-51ca66841a42 \| \| tenant_id \| e030326f884445a882dc5ac9991fcc76 \| +-------------------+--------------------------------------+ If I were to use the "nova secgroup-rule-add" command instead of the neutron commands, the nova api server returns errors to the python-novaclient for both cases.
2013-11-29 15:33:00	Marios Andreou	neutron: status	New	Confirmed
2013-11-29 15:33:08	Marios Andreou	neutron: assignee		Marios Andreou (marios-b)
2013-11-29 16:33:22	OpenStack Infra	neutron: status	Confirmed	In Progress
2013-12-08 05:46:05	Sumit Naiksatam	neutron: importance	Undecided	Medium
2013-12-08 05:46:13	Sumit Naiksatam	neutron: milestone		icehouse-2
2013-12-08 05:46:33	Sumit Naiksatam	tags		sg-fw
2014-01-22 20:26:25	Thierry Carrez	neutron: milestone	icehouse-2	icehouse-3
2014-03-05 19:46:37	Thierry Carrez	neutron: milestone	icehouse-3	icehouse-rc1
2014-03-24 14:27:39	Mark McClain	neutron: milestone	icehouse-rc1
2014-04-17 11:17:49	Openstack Gerrit	neutron: status	In Progress	Fix Committed
2014-04-21 20:37:25	Openstack Gerrit	tags	sg-fw	in-stable-icehouse sg-fw
2014-04-30 02:36:56	Openstack Gerrit	tags	in-stable-icehouse sg-fw	in-stable-havana in-stable-icehouse sg-fw
2014-05-02 19:15:31	Kyle Mestery	neutron: milestone		juno-1
2014-06-05 00:27:25	Alan Pevec	nominated for series		neutron/icehouse
2014-06-05 00:27:26	Alan Pevec	bug task added		neutron/icehouse
2014-06-12 14:43:34	Thierry Carrez	neutron: status	Fix Committed	Fix Released
2014-09-22 21:33:53	Alan Pevec	nominated for series		neutron/havana
2014-09-22 21:33:54	Alan Pevec	bug task added		neutron/havana
2014-09-22 21:38:01	Alan Pevec	neutron/havana: status	New	Fix Committed
2014-09-22 21:38:01	Alan Pevec	neutron/havana: milestone		2013.2.4
2014-09-22 22:30:54	Alan Pevec	neutron/havana: status	Fix Committed	Fix Released
2014-10-16 08:52:18	Thierry Carrez	neutron: milestone	juno-1	2014.2