neutron

SG rule should not allow an ICMP Policy when icmp-code alone is provided.

Series icehouse
Bug #1301838

Bug #1301838 reported by Sridhar Gaddam on 2014-04-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Sridhar Gaddam	neutron 2014.2 "juno"
	Icehouse	New	Undecided	Unassigned

Bug Description

When we add a Security Group ICMP rule with icmp-type/code, the rule gets added properly and it translates to an appropriate firewall policy.

It was noticed that when adding a security group rule, without providing the icmp-type (port-range-min) and only providing the icmp-code (port-range-max) no error is reported, but there is a mismatch with the iptables rule (a generic icmp policy gets added)

Example:
neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4

translates to a iptables rule like
-A neutron-openvswi-i49e920d5-c -p icmp -j RETURN

The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>.
This could be misleading and is inconsistent.
It would be good if validation is done on the input to check that "--port-range-max" is passed when "--port-range-min" is provided so that SG Group rules are consistent with the iptable rules that are added.

Please note: iptables does not allow us to add an icmp rule
when an icmp-type is not provided and only icmp-code is provided.

See original description

Tags:

Sridhar Gaddam (sridhargaddam) on 2014-04-03

Changed in neutron:
assignee:	nobody → Sridhar Gaddam (sridhargaddam)
description:	updated

Sridhar Gaddam (sridhargaddam) on 2014-04-03

description:	updated
Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-03: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/85026

Sridhar Gaddam (sridhargaddam) on 2014-04-03

description:

updated

Mark McClain (markmcclain) on 2014-04-04

Changed in neutron:
importance:	Undecided → High

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-04-16: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/85026
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7607e3da884551e5c4cfe49de390afbddbb2a9b3
Submitter: Jenkins
Branch: master

commit 7607e3da884551e5c4cfe49de390afbddbb2a9b3
Author: sridhargaddam <email address hidden>
Date: Thu Apr 3 18:30:07 2014 +0530

Security Group rule validation for ICMP rules

    Currently there is no validation in Security Group rules
    when an ICMP rule is added with icmp code alone. A rule
    is getting added but there is a mismatch between SG rules
    and the corresponding iptables rule that is added.
    This patch does the necessary validation on the input.

Closes-Bug: #1301838
Change-Id: I510abac4c426f68ea57c99a5fef3da4058f88797

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-06-12

Changed in neutron:
milestone:	none → juno-1
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-03: Fix proposed to neutron (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/125917

Revision history for this message

Sridhar Gaddam (sridhargaddam) wrote on 2014-10-03:

While adding new test cases in tempest for Security Groups (for ICMP rules), some of the tests were failing "check-tempest-dsvm-neutron-full-icehouse" as the fix was only available in Juno and not in IceHouse branch.

Background:
https://review.openstack.org/#/c/94130/12/tempest/api/network/test_security_groups_negative.py

PSB the error message:
Traceback (most recent call last):
  File "tempest/api/network/test_security_groups_negative.py", line 148, in test_create_security_group_rule_with_invalid_ports
    direction='ingress', ethertype=self.ethertype)
  File "/usr/local/lib/python2.7/dist-packages/testtools/testcase.py", line 420, in assertRaises
    self.assertThat(our_callable, matcher)
  File "/usr/local/lib/python2.7/dist-packages/testtools/testcase.py", line 433, in assertThat
    raise mismatch_error
MismatchError: <function _create at 0x90781b8> returned ({'status': '201', 'content-length': '342', 'connection': 'close', 'date': 'Mon, 08 Sep 2014 18:58:49 GMT', 'content-type': 'application/json; charset=UTF-8', 'x-openstack-request-id': 'req-988314e6-6a95-4dad-b4e6-bcfa034655e8'}, {u'security_group_rule': {u'remote_group_id': None, u'direction': u'ingress', u'protocol': u'icmp', u'tenant_id': u'd5654a3b96794dddbac830e5c6312ccc', u'port_range_max': 6, u'security_group_id': u'467633df-5f2e-44ac-815f-0d4b8d6134d8', u'port_range_min': None, u'remote_ip_prefix': None, u'id': u'1395d4a1-fe37-473f-9b2e-7be3b78d59b7', u'ethertype': u'IPv6'}})

So as per the review comments, cherry-picking this patch to the stable/icehouse branch of Neutron so that we can include the associated SG rule ICMP tests in tempest.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-15: Fix merged to neutron (stable/icehouse)

Reviewed: https://review.openstack.org/125917
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=98a2074897ef99a069a6344892610e8ebb29a40d
Submitter: Jenkins
Branch: stable/icehouse

commit 98a2074897ef99a069a6344892610e8ebb29a40d
Author: sridhargaddam <email address hidden>
Date: Thu Apr 3 18:30:07 2014 +0530

Security Group rule validation for ICMP rules

    Closes-Bug: #1301838
    Change-Id: I510abac4c426f68ea57c99a5fef3da4058f88797
    (cherry picked from commit 7607e3da884551e5c4cfe49de390afbddbb2a9b3)

tags:

added: in-stable-icehouse

Thierry Carrez (ttx) on 2014-10-16

Changed in neutron:
milestone:	juno-1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.