default sg could add same rule as original egress ipv4 rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
yujie |
Bug Description
In default securitygroup, we could add a rule in default same as the original egress ipv4 rule.
Reproduce step:
# neutron security-
It returns:
Created a new security_
+------
| Field | Value |
+------
| direction | egress |
| ethertype | IPv4 |
| id | d8f968e2-
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 9a2c0d86-
| tenant_id | 52953da91c0e475
+------
Actually we expect that "Security group rule already exists. Rule id is xxxxx".
UPDATE( Same as #4 ):
Comment #3 makes a mistake. The description above seems related to --remote-ip-prefix.
1. Create sg-rule rule1 setting no --remote-ip-prefix.
# neutron security-
2. Create sg-rule rule2 same as rule1 except that --remote-ip-prefix 0.0.0.0/0.
# neutron security-
Both rules could create successfully.
In dashboard, the two rules looks the same.
Using neutronclient show them:
rule1:
+------
| Field | Value |
+------
| direction | ingress |
| ethertype | IPv4 |
| id | 58999af2-
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | |
| security_group_id | 0aced031-
| tenant_id | 60f2bf725b0046e
+------
rule2:
+------
| Field | Value |
+------
| direction | ingress |
| ethertype | IPv4 |
| id | dbaed060-
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 0aced031-
| tenant_id | 60f2bf725b0046e
+------
When create instance using this sg, in iptables the two sg rules only convert to one rule in neutron-
So when check duplicate rules we should take more effort to treat rule1 and rule2 as the same.
Changed in neutron: | |
assignee: | nobody → yujie (16189455-d) |
description: | updated |
Changed in neutron: | |
assignee: | nobody → Armando Migliaccio (armando-migliaccio) |
status: | Incomplete → In Progress |
tags: | added: sg-fw |
Changed in neutron: | |
assignee: | Armando Migliaccio (armando-migliaccio) → yujie (16189455-d) |
importance: | Undecided → High |
milestone: | none → ocata-rc1 |
Changed in neutron: | |
milestone: | ocata-rc1 → ocata-rc2 |
tags: | added: ocata-rc-potential |
tags: | removed: ocata-rc-potential |
Changed in neutron: | |
milestone: | ocata-rc2 → pike-1 |
http:// paste.openstack .org/show/ 483909/
I created same rule and the reason why i used id because I have two defaults.
I am using origin/master neutron with single node devstack.
can you please provide more info ?