default sg could add same rule as original egress ipv4 rule

Bug #1534113 reported by yujie
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
yujie

Bug Description

In default securitygroup, we could add a rule in default same as the original egress ipv4 rule.

Reproduce step:
# neutron security-group-rule-create --direction egress --remote-ip-prefix 0.0.0.0/0 default

It returns:
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | egress |
| ethertype | IPv4 |
| id | d8f968e2-270b-4d6e-a2d0-a408726b7edc |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 9a2c0d86-4a36-46d4-a4da-43a239003eef |
| tenant_id | 52953da91c0e47528d5317867391aaec |
+-------------------+--------------------------------------+

Actually we expect that "Security group rule already exists. Rule id is xxxxx".

UPDATE( Same as #4 ):
Comment #3 makes a mistake. The description above seems related to --remote-ip-prefix.

1. Create sg-rule rule1 setting no --remote-ip-prefix.
   # neutron security-group-rule-create --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

2. Create sg-rule rule2 same as rule1 except that --remote-ip-prefix 0.0.0.0/0.
    # neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

Both rules could create successfully.

In dashboard, the two rules looks the same.

Using neutronclient show them:
rule1:
+--------------------------------+------------------------------+
| Field | Value |
+--------------------------------+------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | 58999af2-266a-422f-9b41-c38b69bb72ef |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | |
| security_group_id | 0aced031-542f-40f0-87d7-d20dfc6b0ea2 |
| tenant_id | 60f2bf725b0046ef9e2c470b528a25f6 |
+--------------------------------+------------------------------+

rule2:
+--------------------------------+----------------------------+
| Field | Value |
+--------------------------------+----------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | dbaed060-2c94-44df-b0b9-6852c6d3ed0e |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | 0aced031-542f-40f0-87d7-d20dfc6b0ea2 |
| tenant_id | 60f2bf725b0046ef9e2c470b528a25f6 |
+--------------------------------+----------------------------+

When create instance using this sg, in iptables the two sg rules only convert to one rule in neutron-openvswi-ixxxxx.

So when check duplicate rules we should take more effort to treat rule1 and rule2 as the same.

yujie (16189455-d)
Changed in neutron:
assignee: nobody → yujie (16189455-d)
Revision history for this message
Manjeet Singh Bhatia (manjeet-s-bhatia) wrote :

http://paste.openstack.org/show/483909/

I created same rule and the reason why i used id because I have two defaults.

I am using origin/master neutron with single node devstack.

can you please provide more info ?

Changed in neutron:
status: New → Incomplete
Revision history for this message
yujie (16189455-d) wrote :

@ Manjeet
I am using origin/master neutron with single node devstack. Now i found the reason.

The info of default sg for tenant demo is in attachment: before-add-rule.txt
Then added a sg-rule:
         $ neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0--direction egress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
The rule was created successfully. Actually this new rule play the same rule as egress-rule(id: cccaf264-4351-4e85-a0b7-3cff9bcace55 )

Then tried another way to add sg-rule:
         $ neutron security-group-rule-create --prefix 0.0.0.0/0 --direction egress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
This time it returns "Security group rule already exists. Rule id is cccaf264-4351-4e85-a0b7-3cff9bcace55".

Changed in neutron:
status: Incomplete → New
Revision history for this message
yujie (16189455-d) wrote :

@Manjeet
I tried the difference between prefix and remote-ip-prefix.
1. add rule1: neutron security-group-rule-create --prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
2. add rule2: neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
3. add rule3: neutron security-group-rule-create --prefix 2.2.2.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2
4. add rule4: neutron security-group-rule-create --remote-ip-prefix 2.2.2.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

rule1/2/4 was created successfully. But rule3 was returns "Security group rule already exists. Rule id is 58999af2-266a-422f-9b41-c38b69bb72ef ( rule1 id)."

From above, the parameter prefix works wrong way and its function could be replaced by remote-ip-prefix completely.
Maybe we could remote it.

Revision history for this message
yujie (16189455-d) wrote :
Download full text (3.6 KiB)

Comment #3 make a mistack. It seems it has nothing to do with --prefix, but related to --remote-ip-prefix.

1. Create sg-rule rule1 setting no --remote-ip-prefix.
   # neutron security-group-rule-create --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

2. Create sg-rule rule2 same as rule1 except that --remote-ip-prefix 0.0.0.0/0.
    # neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2

Both rules could create successfully.

In dashboard, the two rules looks the same.
Using neutronclient show them:
rule1:
+--------------------------------+---------------------------------------------------------------+
| Field | Value |
+--------------------------------+---------------------------------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | 58999af2-266a-422f-9b41-c38b69bb72ef |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | |
| security_group_id | 0aced031-542f-40f0-87d7-d20dfc6b0ea2 |
| tenant_id | 60f2bf725b0046ef9e2c470b528a25f6 |
+--------------------------------+---------------------------------------------------------------+

rule2:
+--------------------------------+----------------------------------------------------------------+
| Field | Value |
+--------------------------------+----------------------------------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | dbaed060-2c94-44df-b0b9-6852c6d3ed0e |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 ...

Read more...

yujie (16189455-d)
description: updated
Revision history for this message
Manjeet Singh Bhatia (manjeet-s-bhatia) wrote :

@yujie I think that's expected behavior if someone wants to have different prefixes with different port range,
but not sure lets see what other people says

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/331416

Changed in neutron:
status: New → In Progress
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: yujie (16189455-d) → nobody
status: In Progress → Incomplete
Changed in neutron:
assignee: nobody → Armando Migliaccio (armando-migliaccio)
status: Incomplete → In Progress
tags: added: sg-fw
Changed in neutron:
assignee: Armando Migliaccio (armando-migliaccio) → yujie (16189455-d)
importance: Undecided → High
milestone: none → ocata-rc1
Changed in neutron:
milestone: ocata-rc1 → ocata-rc2
tags: added: ocata-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/331416
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=785656744a6883b22972da0d867b36b699d6b15c
Submitter: Jenkins
Branch: master

commit 785656744a6883b22972da0d867b36b699d6b15c
Author: yujie <email address hidden>
Date: Thu Jul 7 12:49:34 2016 +0800

    Fix duplicated sg rules check for remote_ip_prefix

    Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or
    ::/0 for ipv6 plays the same role as the sg rules without setting
    remote_ip_prefix. We could treat them as duplicate.

    Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1
    Closes-Bug: #1534113

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/431083

tags: removed: ocata-rc-potential
Changed in neutron:
milestone: ocata-rc2 → pike-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/431083
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8307dbe2dd87d87cb14b4707f1764adfc4819bfc
Submitter: Jenkins
Branch: stable/ocata

commit 8307dbe2dd87d87cb14b4707f1764adfc4819bfc
Author: yujie <email address hidden>
Date: Thu Jul 7 12:49:34 2016 +0800

    Fix duplicated sg rules check for remote_ip_prefix

    Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or
    ::/0 for ipv6 plays the same role as the sg rules without setting
    remote_ip_prefix. We could treat them as duplicate.

    Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1
    Closes-Bug: #1534113
    (cherry picked from commit 785656744a6883b22972da0d867b36b699d6b15c)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.1

This issue was fixed in the openstack/neutron 10.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.0.0b1

This issue was fixed in the openstack/neutron 11.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/462936

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/462936
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7ae6e56bb588fd11dbd3771bde74b3d48055cf33
Submitter: Jenkins
Branch: stable/newton

commit 7ae6e56bb588fd11dbd3771bde74b3d48055cf33
Author: yujie <email address hidden>
Date: Thu Jul 7 12:49:34 2016 +0800

    Fix duplicated sg rules check for remote_ip_prefix

    Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or
    ::/0 for ipv6 plays the same role as the sg rules without setting
    remote_ip_prefix. We could treat them as duplicate.

    Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1
    Closes-Bug: #1534113
    (cherry picked from commit 8307dbe2dd87d87cb14b4707f1764adfc4819bfc)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 9.4.0

This issue was fixed in the openstack/neutron 9.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.