neutron

Invalid documented security group rule protocol "any"

Bug #2074056 reported by Pierre Prinetti
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
In Progress
Low
Brian Haley

Bug Description

The Networking API specification v2.0 for security group rule creation[1] states that:

> The string any (or integer 0) means all IP protocols.

However, attempting to create a security group rule with protocol "any" results in a 400 Bad Request:

```
curl -g -i -X POST \
        'https://neutron.example:13696/v2.0/security-group-rules' \
        -H "Content-Type: application/json" \
        -H "X-Auth-Token: valid-token" \
        -d '{"security_group_rule": {"ethertype": "IPv4", "security_group_id": "f2746bac-1c1f-42b6-8791-fc1b1448fa0e", "remote_ip_prefix": "0.0.0.0/0", "direction": "ingress", "protocol": "any"}}'

HTTP/1.1 400 Bad Request
content-type: application/json
content-length: 450
x-openstack-request-id: req-a2d167b4-5d7f-4bf3-9c60-7823b2122efc
date: Thu, 25 Jul 2024 08:11:49 GMT

{"NeutronError": {"type": "SecurityGroupRuleInvalidProtocol", "message": "Security group rule protocol any not supported. Only protocol values [None, 'ah', 'dccp', 'egp', 'esp', 'gre', 'hopopt', 'icmp', 'igmp', 'ip', 'ipip', 'ipv6-encap', 'ipv6-frag', 'ipv6-icmp', 'icmpv6', 'ipv6-nonxt', 'ipv6-opts', 'ipv6-route', 'ospf', 'pgm', 'rsvp', 'sctp', 'tcp', 'udp', 'udplite', 'vrrp'] and integer representations [0 to 255] are supported.", "detail": ""}}
```

Tested on RHOSP 17.1, which is based on Wallaby according to its docs[2].

There appear to be multiple ways to create security group rules that apply regardless of the protocol:
- protocol value set to number zero or string zero: `"protocol": 0` `"protocol": "0"`
- protocol value set to null or unset: `"protocol": null`
- protocol value set to the empty string: `"protocol": ""`

I have grouped them by how they conflict. In other words: you can have a security group containing three of these rules (zero, null, empty) that won't conflict with each other at creation.

My questions:
- These three "protocol" values are stored differently. Do they behave exactly the same?
- Is there a preferred way to create a rule that applies to any protocol?
- Is the documentation effectively wrong about the value "any", or am I missing something?

Thank you.

[1]: https://docs.openstack.org/api-ref/network/v2/#create-security-group-rule
[2]: https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/release_notes/chap-introduction#about-this-release_relnotes-intro

See original description
Pierre Prinetti (pierreprinetti)
no longer affects: ansible-collections-openstack
Pierre Prinetti (pierreprinetti)
description: updated
description: updated
Bernard Cafarelli (bcafarel)
tags: added: doc
tags: added: low-hanging-fruit
Changed in neutron:
importance: Undecided → Low
Revision history for this message
Brian Haley (brian-haley) wrote :

The openstackclient supports the value of 'any' for the protocol, but it changes it to 'None' for the call.

The API supports both None and 0 for the protocol, and I believe the backend implementations should treat them the same.

Although not on the API page, 'ip' is a valid protocol that maps to '0' (essentially all IP* traffic) and should work as well.

So this just looks like a documentation problem as I'm not sure we want to accept 'any' in the API, but if we did can probably add it to IP_PROTOCOL_NAME_ALIASES.

Brian Haley (brian-haley)
Changed in neutron:
assignee: nobody → Brian Haley (brian-haley)
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/926498

Changed in neutron:
status: Confirmed → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.