neutron

default sg could add same rule as original egress ipv4 rule

Bug #1534113 reported by yujie on 2016-01-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	yujie	neutron pike-1 "p-1"

Bug Description

In default securitygroup, we could add a rule in default same as the original egress ipv4 rule.

Reproduce step:
# neutron security-group-rule-create --direction egress --remote-ip-prefix 0.0.0.0/0 default

Actually we expect that "Security group rule already exists. Rule id is xxxxx".

UPDATE( Same as #4 ):
Comment #3 makes a mistake. The description above seems related to --remote-ip-prefix.

1. Create sg-rule rule1 setting no --remote-ip-prefix.
# neutron security-group-rule-create --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

2. Create sg-rule rule2 same as rule1 except that --remote-ip-prefix 0.0.0.0/0.
# neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

Both rules could create successfully.

In dashboard, the two rules looks the same.

When create instance using this sg, in iptables the two sg rules only convert to one rule in neutron-openvswi-ixxxxx.

So when check duplicate rules we should take more effort to treat rule1 and rule2 as the same.

See original description

Tags:

yujie (16189455-d) on 2016-01-14

Changed in neutron:
assignee:	nobody → yujie (16189455-d)

Revision history for this message

Manjeet Singh Bhatia (manjeet-s-bhatia) wrote on 2016-01-14:

http://paste.openstack.org/show/483909/

I created same rule and the reason why i used id because I have two defaults.

I am using origin/master neutron with single node devstack.

can you please provide more info ?

Changed in neutron:
status:	New → Incomplete

Revision history for this message

yujie (16189455-d) wrote on 2016-01-15:

before-add-rule.txt Edit (6.3 KiB, text/plain)

@ Manjeet
I am using origin/master neutron with single node devstack. Now i found the reason.

The info of default sg for tenant demo is in attachment: before-add-rule.txt
Then added a sg-rule:
$ neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0--direction egress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
The rule was created successfully. Actually this new rule play the same rule as egress-rule(id: cccaf264-4351-4e85-a0b7-3cff9bcace55 )

Then tried another way to add sg-rule:
$ neutron security-group-rule-create --prefix 0.0.0.0/0 --direction egress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
This time it returns "Security group rule already exists. Rule id is cccaf264-4351-4e85-a0b7-3cff9bcace55".

Changed in neutron:
status:	Incomplete → New

Revision history for this message

yujie (16189455-d) wrote on 2016-01-15:

@Manjeet
I tried the difference between prefix and remote-ip-prefix.
1. add rule1: neutron security-group-rule-create --prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
2. add rule2: neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
3. add rule3: neutron security-group-rule-create --prefix 2.2.2.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
4. add rule4: neutron security-group-rule-create --remote-ip-prefix 2.2.2.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

rule1/2/4 was created successfully. But rule3 was returns "Security group rule already exists. Rule id is 58999af2-266a-422f-9b41-c38b69bb72ef ( rule1 id)."

From above, the parameter prefix works wrong way and its function could be replaced by remote-ip-prefix completely.
Maybe we could remote it.

Revision history for this message

yujie (16189455-d) wrote on 2016-01-15:

Download full text (3.6 KiB)

Comment #3 make a mistack. It seems it has nothing to do with --prefix， but related to --remote-ip-prefix.

1. Create sg-rule rule1 setting no --remote-ip-prefix.
# neutron security-group-rule-create --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

Both rules could create successfully.

Comment #3 make a mistack. It seems it has nothing to do with --prefix， but related to --remote-ip-prefix.

1. Create sg-rule rule1 setting no  --remote-ip-prefix.    
   # neutron security-group-rule-create   --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

2. Create sg-rule rule2 same as rule1 except that --remote-ip-prefix 0.0.0.0/0.
    # neutron security-group-rule-create   --remote-ip-prefix 0.0.0.0/0  --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

Both rules could create successfully.

When create instance using this sg, in iptables the two sg rules only convert to one rule in neutron-openvswi-ixxxxx.

So when check duplicate rules we should take more effort to treat rule1 and rule2 as same rules.

yujie (16189455-d) on 2016-01-15

description:

updated

Revision history for this message

Manjeet Singh Bhatia (manjeet-s-bhatia) wrote on 2016-01-15:

@yujie I think that's expected behavior if someone wants to have different prefixes with different port range,
but not sure lets see what other people says

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-18: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/331416

Changed in neutron:
status:	New → In Progress

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-12-23:

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee:	yujie (16189455-d) → nobody
status:	In Progress → Incomplete

OpenStack Infra (hudson-openstack) on 2017-01-31

Changed in neutron:
assignee:	nobody → Armando Migliaccio (armando-migliaccio)
status:	Incomplete → In Progress

Armando Migliaccio (armando-migliaccio) on 2017-01-31

tags:	added: sg-fw
Changed in neutron:
assignee:	Armando Migliaccio (armando-migliaccio) → yujie (16189455-d)
importance:	Undecided → High
milestone:	none → ocata-rc1

Armando Migliaccio (armando-migliaccio) on 2017-02-07

Changed in neutron:
milestone:	ocata-rc1 → ocata-rc2

Armando Migliaccio (armando-migliaccio) on 2017-02-07

tags:

added: ocata-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-08: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/331416
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=785656744a6883b22972da0d867b36b699d6b15c
Submitter: Jenkins
Branch: master

commit 785656744a6883b22972da0d867b36b699d6b15c
Author: yujie <email address hidden>
Date: Thu Jul 7 12:49:34 2016 +0800

Fix duplicated sg rules check for remote_ip_prefix

    Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or
    ::/0 for ipv6 plays the same role as the sg rules without setting
    remote_ip_prefix. We could treat them as duplicate.

Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1
Closes-Bug: #1534113

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-08: Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/431083

Armando Migliaccio (armando-migliaccio) on 2017-02-09

tags:	removed: ocata-rc-potential
Changed in neutron:
milestone:	ocata-rc2 → pike-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-22: Fix merged to neutron (stable/ocata)

#10

Reviewed: https://review.openstack.org/431083
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8307dbe2dd87d87cb14b4707f1764adfc4819bfc
Submitter: Jenkins
Branch: stable/ocata

commit 8307dbe2dd87d87cb14b4707f1764adfc4819bfc
Author: yujie <email address hidden>
Date: Thu Jul 7 12:49:34 2016 +0800

Fix duplicated sg rules check for remote_ip_prefix

    Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or
    ::/0 for ipv6 plays the same role as the sg rules without setting
    remote_ip_prefix. We could treat them as duplicate.

    Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1
    Closes-Bug: #1534113
    (cherry picked from commit 785656744a6883b22972da0d867b36b699d6b15c)

tags:

added: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-12: Fix included in openstack/neutron 10.0.1

#11

This issue was fixed in the openstack/neutron 10.0.1 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-14: Fix included in openstack/neutron 11.0.0.0b1

#12

This issue was fixed in the openstack/neutron 11.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-05: Fix proposed to neutron (stable/newton)

#13

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/462936

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-12: Fix merged to neutron (stable/newton)

#14

Reviewed: https://review.openstack.org/462936
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7ae6e56bb588fd11dbd3771bde74b3d48055cf33
Submitter: Jenkins
Branch: stable/newton

commit 7ae6e56bb588fd11dbd3771bde74b3d48055cf33
Author: yujie <email address hidden>
Date: Thu Jul 7 12:49:34 2016 +0800

Fix duplicated sg rules check for remote_ip_prefix

    Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or
    ::/0 for ipv6 plays the same role as the sg rules without setting
    remote_ip_prefix. We could treat them as duplicate.

    Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1
    Closes-Bug: #1534113
    (cherry picked from commit 8307dbe2dd87d87cb14b4707f1764adfc4819bfc)