neutron

Security Group specifying protocol 0 results in Error 400

Bug #1716790 reported by German Eichberger
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Brian Haley

Bug Description

Per the documentation protocol 0 should be allowed (not sure what it does? Accept any protocol? Test?). However it results in a 400 error. Neutron should accept 0.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/511561

Changed in neutron:
assignee: nobody → Brian Haley (brian-haley)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/511561
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b
Submitter: Zuul
Branch: master

commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b2

This issue was fixed in the openstack/neutron 12.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/532188

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/532460

Revision history for this message
YAMAMOTO Takashi (yamamoto) wrote :

is anyone working on documentation part? (make it clear what protocol 0 means)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/532188
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d16f69b3ae925bc4f48f75c84798a8fe2198aa2e
Submitter: Zuul
Branch: stable/pike

commit d16f69b3ae925bc4f48f75c84798a8fe2198aa2e
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790
    (cherry picked from commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/532460
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8442a144a230964ee88cfee43927eb1b1c94ee03
Submitter: Zuul
Branch: stable/ocata

commit 8442a144a230964ee88cfee43927eb1b1c94ee03
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790
    (cherry picked from commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b)

tags: added: in-stable-ocata
Revision history for this message
Brian Haley (brian-haley) wrote :

Hi Yamamoto, sorry, didn't see your question until now.

I can update the api-ref to make it clear 0 == 'any'. The parameters.yaml file in neutron-lib is kind of a mess in this area so will need a lot of cleanup.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/534962

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (master)

Reviewed: https://review.openstack.org/534962
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=fa8768aaa787e8c94f3f11bcc997560182f04061
Submitter: Zuul
Branch: master

commit fa8768aaa787e8c94f3f11bcc997560182f04061
Author: Brian Haley <email address hidden>
Date: Wed Jan 17 17:34:52 2018 -0500

    Update security group rule protocol parameter text

    Updated text to include "any"/"0" and "ipip"/"4" as
    valid parameters for protocol in security group rules,
    as well as any integer value from [0-255].

    Change-Id: I80ee9bcd885c5c0383925f8d0bb10d34335f8038
    Related-bug: #1716790

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.5

This issue was fixed in the openstack/neutron 10.0.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.3

This issue was fixed in the openstack/neutron 11.0.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.