neutron

neutron allows security group rules with invalid cidrs

  1. Series icehouse
  2. Bug #1255338
Bug #1255338 reported by Stephen Ma
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Marios Andreou
neutron 2014.2 "juno"
Havana
Fix Released
Undecided
Unassigned
neutron 2013.2.4
Icehouse
New
Undecided
Unassigned

Bug Description

Neutron is allowing security group rules having invalid CIDR values in the "remote_ip_prefix" parameter.

Two examples illustrate the problem:
$ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix badprefix e89783db-2c8c-43fd-927d-51ca66841a42
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | bdb49ccd-46d0-4090-902c-29412eed1d25 |
| port_range_max | 28069 |
| port_range_min | 28060 |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | badprefix |
| security_group_id | e89783db-2c8c-43fd-927d-51ca66841a42 |
| tenant_id | e030326f884445a882dc5ac9991fcc76 |
+-------------------+--------------------------------------+

$ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix 10.11.12.0/33 e89783db-2c8c-43fd-927d-51ca66841a42
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | 72a7c232-410a-406a-9be0-d7ff9dc56b07 |
| port_range_max | 28069 |
| port_range_min | 28060 |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | 10.11.12.0/33 |
| security_group_id | e89783db-2c8c-43fd-927d-51ca66841a42 |
| tenant_id | e030326f884445a882dc5ac9991fcc76 |
+-------------------+--------------------------------------+

If I were to use the "nova secgroup-rule-add" command instead of the neutron commands, the nova api server returns errors to the python-novaclient for both cases.

See original description
Stephen Ma (stephen-ma)
description: updated
Marios Andreou (marios-b)
Changed in neutron:
status: New → Confirmed
assignee: nobody → Marios Andreou (marios-b)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/59212

Changed in neutron:
status: Confirmed → In Progress
Sumit Naiksatam (snaiksat)
Changed in neutron:
importance: Undecided → Medium
milestone: none → icehouse-2
tags: added: sg-fw
Thierry Carrez (ttx)
Changed in neutron:
milestone: icehouse-2 → icehouse-3
Thierry Carrez (ttx)
Changed in neutron:
milestone: icehouse-3 → icehouse-rc1
Mark McClain (markmcclain)
Changed in neutron:
milestone: icehouse-rc1 → none
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to neutron (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/88035

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to neutron (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/88057

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/59212
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=65aa92b0348b7ab8413f359b00825610cdf66607
Submitter: Jenkins
Branch: master

commit 65aa92b0348b7ab8413f359b00825610cdf66607
Author: marios <email address hidden>
Date: Fri Nov 29 18:23:54 2013 +0200

    Validate CIDR given as ip-prefix in security-group-rule-create

    There was no validation for the provided ip prefix. This just adds
    a simple parse using netaddr and explodes with appropriate message.
    Also makes sure ip prefix _is_ cidr (192.168.1.1-->192.168.1.1/32).

    Validation occurs at the attribute level (API model) as well as at
    the db level, where the ethertype is validated against the ip_prefix
    address type.

    Unit test cases added - bad prefix, unmasked prefix and incorrect
    ethertype. Also adds attribute test cases for the added
    convert_ip_prefix_to_cidr method

    Change-Id: I71fb8c887963a122a5bd8cfdda800026c1cd3954
    Closes-Bug: 1255338

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to neutron (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/88674

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to neutron (stable/icehouse)

Reviewed: https://review.openstack.org/88674
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=68a24e5f908412b83ca7c3f2d2d2014678e79570
Submitter: Jenkins
Branch: stable/icehouse

commit 68a24e5f908412b83ca7c3f2d2d2014678e79570
Author: marios <email address hidden>
Date: Fri Nov 29 18:23:54 2013 +0200

    Validate CIDR given as ip-prefix in security-group-rule-create

    There was no validation for the provided ip prefix. This just adds
    a simple parse using netaddr and explodes with appropriate message.
    Also makes sure ip prefix _is_ cidr (192.168.1.1-->192.168.1.1/32).

    Validation occurs at the attribute level (API model) as well as at
    the db level, where the ethertype is validated against the ip_prefix
    address type.

    Unit test cases added - bad prefix, unmasked prefix and incorrect
    ethertype. Also adds attribute test cases for the added
    convert_ip_prefix_to_cidr method

    Closes-Bug: 1255338

    Conflicts:
     neutron/tests/unit/test_security_groups_rpc.py

    Change-Id: I71fb8c887963a122a5bd8cfdda800026c1cd3954
    (cherry picked from commit 65aa92b0348b7ab8413f359b00825610cdf66607)

tags: added: in-stable-icehouse
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to neutron (stable/havana)

Reviewed: https://review.openstack.org/88057
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=03eed8cd34cd4fb043c11fc99f6bb0b4fbd5728d
Submitter: Jenkins
Branch: stable/havana

commit 03eed8cd34cd4fb043c11fc99f6bb0b4fbd5728d
Author: marios <email address hidden>
Date: Fri Nov 29 18:23:54 2013 +0200

    Validate CIDR given as ip-prefix in security-group-rule-create

    There was no validation for the provided ip prefix. This just adds
    a simple parse using netaddr and explodes with appropriate message.
    Also makes sure ip prefix _is_ cidr (192.168.1.1-->192.168.1.1/32).

    Validation occurs at the attribute level (API model) as well as at
    the db level, where the ethertype is validated against the ip_prefix
    address type.

    Unit test cases added - bad prefix, unmasked prefix and incorrect
    ethertype. Also adds attribute test cases for the added
    convert_ip_prefix_to_cidr method

    Closes-Bug: 1255338

    Conflicts:
     neutron/tests/unit/test_security_groups_rpc.py
     neutron/tests/unit/test_extension_security_group.py

    Change-Id: I71fb8c887963a122a5bd8cfdda800026c1cd3954
    (cherry picked from commit 65aa92b0348b7ab8413f359b00825610cdf66607)

tags: added: in-stable-havana
Kyle Mestery (mestery)
Changed in neutron:
milestone: none → juno-1
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.