neutron

icmp, icmpv6 and ipv6-icmp should raise duplicated sg rule exception

Bug #1582500 reported by ZongKai LI
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Miguel Lavalle

Bug Description

For security group rules, when they have 'ethertype'='ipv6' and only protocol values are different(icmp, or icmpv6, or ipv6-icmp), they should be considered as duplicated.

e.g. using the following CLI commands to create sg rules, SecurityGroupRuleExists exception should raise:
>> neutron security-group-rule-create --ethertype ipv6 --protocol icmp SG_ID
>> neutron security-group-rule-create --ethertype ipv6 --protocol icmpv6 SG_ID
>> neutron security-group-rule-create --ethertype ipv6 --protocol ipv6-icmp SG_ID

User could understand they are just different alias, and we don't need "duplicated" entries to deal with.

Tags: sg-fw
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/317222

Changed in neutron:
assignee: nobody → ZongKai LI (lzklibj)
status: New → In Progress
Hirofumi Ichihara (ichihara-hirofumi)
tags: added: sg-fw
Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: ZongKai LI (lzklibj) → nobody
status: In Progress → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/317222

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/427670

Changed in neutron:
assignee: nobody → Reedip (reedip-banerjee)
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/453346

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Reedip (reedip-banerjee) → Brian Haley (brian-haley)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Brian Haley (<email address hidden>) on branch: master
Review: https://review.openstack.org/453346
Reason: Abandon in favor of https://review.openstack.org/#/c/427670/

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Brian Haley (brian-haley) → Reedip (reedip-banerjee)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Reedip (reedip-banerjee) → Brian Haley (brian-haley)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/427670
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/453346
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-tempest-plugin (master)

Fix proposed to branch: master
Review: https://review.opendev.org/660206

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Brian Haley (brian-haley) → Miguel Lavalle (minsel)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/660206
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=8d2557c6320208e0d27532f8d4d5f239b002a4c5
Submitter: Zuul
Branch: master

commit 8d2557c6320208e0d27532f8d4d5f239b002a4c5
Author: Brian Haley <email address hidden>
Date: Mon May 20 15:56:58 2019 -0400

    Change legacy security group rule check

    A neutron change, https://review.opendev.org/#/c/453346/
    is standardizing the protocol name for IPv6 ICMP in security
    group rules to be 'ipv6-icmp', even if 'icmp' or 'icmpv6'
    was passed during creation. Change the API test to check
    against a list of possible values so it covers both old and
    new behaviors.

    Change-Id: I0ca8d743ca56f7d67ef8c1ae45ca518bd6e6dc35
    Partial-Bug: #1582500

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/453346
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=42074a67259eb4bfe70631d087fa4fc4d509ab51
Submitter: Zuul
Branch: master

commit 42074a67259eb4bfe70631d087fa4fc4d509ab51
Author: Brian Haley <email address hidden>
Date: Tue Apr 4 17:37:27 2017 -0400

    Canonicalize IPv6 ICMP protocol name in security groups

    Currently, 'icmp', 'ipv6-icmp' and 'icmpv6' can be
    specified as an IPv6 ICMP protocol value. This can
    lead to duplicate entries in the DB for doing exactly
    the same thing.

    Change to always be 'ipv6-icmp' so this doesn't happen.

    Existing rules using one of the old values will now be
    returned with 'ipv6-icmp' as the protocol value.

    Depends-on: https://review.opendev.org/660206
    Depends-on: https://review.opendev.org/660387

    Change-Id: I7cd146691dce1a690e1d2c309dfd54b4a0032f76
    Partial-Bug: #1582500

Brian Haley (brian-haley)
Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/670906

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/670908

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/670908
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=1376d2e807dc020d027dc5fa07e317ab066eda75
Submitter: Zuul
Branch: master

commit 1376d2e807dc020d027dc5fa07e317ab066eda75
Author: Brian Haley <email address hidden>
Date: Mon Jul 15 15:35:47 2019 -0400

    Only have one number to name mapping for IPv6 ICMP

    Neutron normalized the IPv6 ICMP protocol string to 'ipv6-icmp',
    but the number to name mapping dict incorrectly shows 'icmpv6':

    >>> constants.IP_PROTOCOL_NUM_TO_NAME_MAP['58']
    'icmpv6'

    This is because in the name to number mapping dict there are
    two keys, 'ipv6-icmp' and 'icmpv6', that have a value of 58
    in order to keep backwards-compatibility. Since the number
    to name mapping is built automatically from that, it overwrites
    the '58' key value to be 'icmpv6'. Filter it out so there is
    only a single mapping to 'ipv6-icmp'.

    Change-Id: I6b6c34c13f006ffca4cb4e2f18a2f825764374ec
    Related-bug: #1582500

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/670906
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dac9a062aca91e243859e8a7d5b6814cfd37d222
Submitter: Zuul
Branch: master

commit dac9a062aca91e243859e8a7d5b6814cfd37d222
Author: Brian Haley <email address hidden>
Date: Mon Jul 15 15:27:13 2019 -0400

    Normalize protocol number 1 to 58 for IPv6

    The security group code was changed recently to always
    normalize IPv6 ICMP protocol names to 'ipv6-icmp', but it
    did not cover when a number is used instead. Normalize
    protocol number 1 to 58 for IPv6 ICMP as well.

    Change-Id: Ife8263196f3d678d8455f07834c9f6c1330acc00
    Closes-bug: #1582500

Changed in neutron:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.0.0b1

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.