[SRU] neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Ocata |
Fix Released
|
Critical
|
Unassigned | ||
neutron |
Fix Released
|
Critical
|
Brian Haley |
Bug Description
[Impact]
Neutron allowed users to create security group rules that would translate to invalid iptables rules thus causing neutron to fail when it attempted to apply them. This is now fixed for >= Pike and we are backporting for Ocata.
[Test Case]
* deploy openstack ocata
* create an invalid security group rule e.g.
openstack security group rule create --protocol gre --dst-port 0:255 jmclane
* check that request is rejected with e.g.
Error while executing command: BadRequestExcep
, SCTP and DCCP.", "type": "SecurityGroupI
[Regression Potential]
Upgrading to this patch will reject new api requests that try to create invalid rules but will not cleanup invalid rules already extant.
Note also that the backported ocata patch is unchanged from pike.
-------
We have had problems with openvswitch agent continuously restarting and never actually completing setup because of this:
# Completed by iptables_manager
; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
Error occurred at line: 83
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
83. -I neutron-
---
Someone has managed to inject a rule that is, effectively, a DoS.
Changed in cloud-archive: | |
status: | New → Fix Released |
description: | updated |
The web ui seems to handle this, but the API doesn't