neutron

security group: ipv6 protocol integer works in ipv4 ethertype

Bug #1706229 reported by Trevor McCasland on 2017-07-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Trevor McCasland

Bug Description

Creating a security group rule with ethertype IPv4 and an IPv6 protocol integer succeeds when it should fail.

1. create security group, 'mygroup'
2. create security group rule --protocol 43 --ethertype IPv4 mygroup

Expected output:
ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup
Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca)

The problem is here neutron/db/securitygroups_db.py:
if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP,
                                constants.PROTO_NAME_IPV6_FRAG,
                                constants.PROTO_NAME_IPV6_ICMP,
                                constants.PROTO_NAME_IPV6_ICMP_LEGACY,
                                constants.PROTO_NAME_IPV6_NONXT,
                                constants.PROTO_NAME_IPV6_OPTS,
                                constants.PROTO_NAME_IPV6_ROUTE]:
            if rule['ethertype'] == constants.IPv4:
                raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
                        ethertype=rule['ethertype'], protocol=rule['protocol'])

It should check for numbers and names from neutron_lib constants.

See original description

Tags:

Trevor McCasland (twm2016) on 2017-07-25

Changed in neutron:
assignee:	nobody → Trevor McCasland (twm2016)
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-25: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/487130

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-28: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/487130
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2ec36dc812710c284b75498e695a44585484c6a1
Submitter: Jenkins
Branch: master

commit 2ec36dc812710c284b75498e695a44585484c6a1
Author: Trevor McCasland <email address hidden>
Date: Tue Jul 25 08:44:08 2017 -0500

Enforce ethertype with IPv6 integer protocols

    By extending the black list to include the integer representation
    for IPv6 we can succesfully block api requests to create security
    group rules for IPv6 protocols with ehtertype IPv4.

Closes-Bug: #1706229
Change-Id: I5abeff178b3be18f1e93d00d9d546147b11c1a74

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-28: Fix included in openstack/neutron 11.0.0.0b3

This issue was fixed in the openstack/neutron 11.0.0.0b3 development milestone.

Ihar Hrachyshka (ihar-hrachyshka) on 2017-08-14

tags:

added: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-25: Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/497919

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-25: Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/497920

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-29: Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/497919
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d66915a7ae96997466870127039e00ac2e2f2053
Submitter: Jenkins
Branch: stable/ocata

commit d66915a7ae96997466870127039e00ac2e2f2053
Author: Trevor McCasland <email address hidden>
Date: Tue Jul 25 08:44:08 2017 -0500

Enforce ethertype with IPv6 integer protocols

    By extending the black list to include the integer representation
    for IPv6 we can succesfully block api requests to create security
    group rules for IPv6 protocols with ehtertype IPv4.

    Closes-Bug: #1706229
    Change-Id: I5abeff178b3be18f1e93d00d9d546147b11c1a74
    (cherry picked from commit 2ec36dc812710c284b75498e695a44585484c6a1)

tags:	added: in-stable-ocata
tags:	added: in-stable-newton

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-29: Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/497920
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fe097d6a7c1554574042d0674a66828b70f1401c
Submitter: Jenkins
Branch: stable/newton

commit fe097d6a7c1554574042d0674a66828b70f1401c
Author: Trevor McCasland <email address hidden>
Date: Tue Jul 25 08:44:08 2017 -0500

Enforce ethertype with IPv6 integer protocols

    By extending the black list to include the integer representation
    for IPv6 we can succesfully block api requests to create security
    group rules for IPv6 protocols with ehtertype IPv4.

    Closes-Bug: #1706229
    Change-Id: I5abeff178b3be18f1e93d00d9d546147b11c1a74
    (cherry picked from commit 2ec36dc812710c284b75498e695a44585484c6a1)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-25: Fix included in openstack/neutron 10.0.4

This issue was fixed in the openstack/neutron 10.0.4 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.