neutron

Default security group wrong from Grizzly to IceHouse

Bug #1303663 reported by Federico Iezzi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

Hi Guys,

There is a bug that prevent a true default security group creation.
The default rules can't permit all traffic in and out.

Below how i fixed it.

            if s.get('name') == 'default':
                for ethertype in ext_sg.sg_supported_ethertypes:
                    # Allow All incoming Connections
                    ingress_rule = SecurityGroupRule(
                        id=uuidutils.generate_uuid(),
                        tenant_id=tenant_id,
                        security_group=security_group_db,
                        direction='ingress',
                        ethertype=ethertype,
                        remote_ip_prefix='0.0.0.0/0')
                    context.session.add(ingress_rule)
                    # Allow All outcoming Connections
                    egress_rule = SecurityGroupRule(
                        id=uuidutils.generate_uuid(),
                        tenant_id=tenant_id,
                        security_group=security_group_db,
                        direction='egress',
                        ethertype=ethertype,
                        remote_ip_prefix='0.0.0.0/0')
                    context.session.add(egress_rule)

https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L120

Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

would you mind posting more detail on the issue you've found?
As far as I know, those rules should be added to the security group anyway - unless you're referring to an upgrade issue.

Changed in neutron:
status: New → Incomplete
Revision history for this message
Federico Iezzi (fiezzi) wrote :

Hi Salvatore,

Unfortunatly on all my staging, pre-production and production environment I've already fixed it but please if you take a look at the code you will see a lot of issue.

1) The 'for' outside the 'if', if callaed more than one times create more than 4 rule (2 egress and 2 ingress).
2) The api call without 'remote_ip_prefix' create roles that doesn't work.
3) In the 'ingress_rule' call there is define two 'security_group'

for ethertype in ext_sg.sg_supported_ethertypes:
                if s.get('name') == 'default':
                    # Allow intercommunication
                    ingress_rule = SecurityGroupRule(
                        id=uuidutils.generate_uuid(), tenant_id=tenant_id,
                        security_group=security_group_db,
                        direction='ingress',
                        ethertype=ethertype,
                        source_group=security_group_db)
                    context.session.add(ingress_rule)

                egress_rule = SecurityGroupRule(
                    id=uuidutils.generate_uuid(), tenant_id=tenant_id,
                    security_group=security_group_db,
                    direction='egress',
                    ethertype=ethertype)
                context.session.add(egress_rule)

Salvatore Orlando (salvatore-orlando)
Changed in neutron:
assignee: nobody → Salvatore Orlando (salvatore-orlando)
Revision history for this message
Cedric Brandily (cbrandily) wrote :

This bug is > 365 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: Salvatore Orlando (salvatore-orlando) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.