Fair point, although if you had any bad values in the DB I doubt if they would go un-noticed ;-)
Phil
-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Vish Ishaya
Sent: 20 April 2012 04:09
To: Day, Phil
Subject: Re: [Bug 985184] Re: Security groups fail to be set correctly if incorrect case is used for protocol specification
The issue with that solution is it requires a migration to fix any bad data that might already be in the database. I don't have a problem with lowering it on both ends though.
Title:
Security groups fail to be set correctly if incorrect case is used for
protocol specification
Status in OpenStack Compute (Nova):
New
Bug description:
The high level issue is that if a security group rule is specified
with the protocol in uppercase (e.g. TCP instead of tcp) on a system
using the IpTablesFirewallDriver then the security group rules may
fail to be properly applied, leading to security groups that are more
open than specified.
The detail of the issue is as follows (Described from the OSAPI
perspective, but the problem also exists on EC2)
When a security group rule is specified with the protocol in upper case it is validated (contrig/security_groups.py: _rule_args_to_dict() regardless of case but stored in the database in the supplied case:
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']: raise exception.InvalidIpProtocol(protocol=ip_protocol)
…
values['protocol'] = ip_protocol
When the security group refresh is triggered (virt/firewall.py – instance_rules() the protocol check is case sensitive:
Because the protocol doesn’t match ‘udp’ or ‘tcp’ the protocol part of
the rule is skipped, leading to an incomplete and invalid iptables
command line.
Fair point, although if you had any bad values in the DB I doubt if they would go un-noticed ;-)
Phil
-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Vish Ishaya
Sent: 20 April 2012 04:09
To: Day, Phil
Subject: Re: [Bug 985184] Re: Security groups fail to be set correctly if incorrect case is used for protocol specification
The issue with that solution is it requires a migration to fix any bad data that might already be in the database. I don't have a problem with lowering it on both ends though.
-- /bugs.launchpad .net/bugs/ 985184
You received this bug notification because you are subscribed to the bug report.
https:/
Title:
Security groups fail to be set correctly if incorrect case is used for
protocol specification
Status in OpenStack Compute (Nova):
New
Bug description: lDriver then the security group rules may
The high level issue is that if a security group rule is specified
with the protocol in uppercase (e.g. TCP instead of tcp) on a system
using the IpTablesFirewal
fail to be properly applied, leading to security groups that are more
open than specified.
The detail of the issue is as follows (Described from the OSAPI
perspective, but the problem also exists on EC2)
When a security group rule is specified with the protocol in upper case it is validated (contrig/ security_ groups. py: _rule_args_ to_dict( ) regardless of case but stored in the database in the supplied case:
raise exception. InvalidIpProtoc ol(protocol= ip_protocol)
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
…
values[ 'protocol' ] = ip_protocol
When the security group refresh is triggered (virt/firewall.py – instance_rules() the protocol check is case sensitive:
Because the protocol doesn’t match ‘udp’ or ‘tcp’ the protocol part of
the rule is skipped, leading to an incomplete and invalid iptables
command line.
To manage notifications about this bug go to: /bugs.launchpad .net/nova/ +bug/985184/ +subscriptions
https:/