Authorizing ICMP w/o specifying types adds 1-65535/tcp and 1-65536/udp

Bug #946427 reported by Roman Yepishev on 2012-03-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Russell Bryant

Bug Description


1. euca-add-group test-ports -d "test wrong ports"
2. euca-describe-groups
GROUP roman.yepishev_project test-ports test wrong ports

3. euca-authorize -P icmp -o test-ports test-ports
4. euca-describe-groups

Expected response:
One added entry of
PERMISSION roman.yepishev_project test-ports ALLOWS icmp -1 -1 GRPNAME test-ports

Actual response:
PERMISSION roman.yepishev_project test-ports ALLOWS icmp -1 -1 GRPNAME test-ports
PERMISSION roman.yepishev_project test-ports ALLOWS tcp 1 65535 GRPNAME test-ports
PERMISSION roman.yepishev_project test-ports ALLOWS udp 1 65536 GRPNAME test-ports

Please note that with udp range 1-65536 the virtual machines are unable to start, since this is invalid port range.

If -t -1:-1 is used instead, no additional permissions are granted.

Roman Yepishev (rye) on 2012-03-04
affects: glance → nova
Changed in nova:
status: New → Confirmed
importance: Undecided → High
milestone: none → essex-rc1
Changed in nova:
assignee: nobody → Russell Bryant (russellb)
Changed in nova:
status: Confirmed → In Progress
Changed in nova:
assignee: Russell Bryant (russellb) → Vish Ishaya (vishvananda)
Changed in nova:
assignee: Vish Ishaya (vishvananda) → Russell Bryant (russellb)

Submitter: Jenkins
Branch: master

commit ee0bb74cbcf521071965ccd63f8232e8c434229d
Author: Russell Bryant <email address hidden>
Date: Wed Mar 7 15:03:35 2012 -0500

    Fix issues with security group auths without ports.

    Fix bug 946427.

    There was a bug where a security group would get completely opened in
    cases where only icmp, udp, or tcp should be opened. For example, any
    of the following three commands would result in opening everything:

        euca-authorize -P icmp -o test-ports test-ports
        euca-authorize -P tcp -o test-ports test-ports
        euca-authorize -P udp -o test-ports test-ports

    This patch resolves this and these commands now only open the protocol
    that was specified. Unit tests have been added to verify the fix and
    also verify that this only works when a source group is specified.
    While the bug was originally reported against the EC2 API, the same
    updates and similar unit tests have gone in to the equivalent code for
    the OpenStack API.

    Change-Id: I4c87c5f5f4ccee60c6c16da4e659d73ab3f4a34f

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-03-20
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers