Neutron is allowing security group rules having invalid CIDR values in the "remote_ip_prefix" parameter.
Two examples illustrates the problem: $ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix badprefix e89783db-2c8c-43fd-927d-51ca66841a42 Created a new security_group_rule: +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | direction | ingress | | ethertype | IPv4 | | id | bdb49ccd-46d0-4090-902c-29412eed1d25 | | port_range_max | 28069 | | port_range_min | 28060 | | protocol | tcp | | remote_group_id | | | remote_ip_prefix | badprefix | | security_group_id | e89783db-2c8c-43fd-927d-51ca66841a42 | | tenant_id | e030326f884445a882dc5ac9991fcc76 | +-------------------+--------------------------------------+
$ neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix 10.11.12.0/33 e89783db-2c8c-43fd-927d-51ca66841a42 Created a new security_group_rule: +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | direction | ingress | | ethertype | IPv4 | | id | 72a7c232-410a-406a-9be0-d7ff9dc56b07 | | port_range_max | 28069 | | port_range_min | 28060 | | protocol | tcp | | remote_group_id | | | remote_ip_prefix | 10.11.12.0/33 | | security_group_id | e89783db-2c8c-43fd-927d-51ca66841a42 | | tenant_id | e030326f884445a882dc5ac9991fcc76 | +-------------------+--------------------------------------+
If I were to use the "nova secgroup-rule-add" instead of the neutron commands, the nova api server returns errors to the python-novaclient for both cases.
Neutron is allowing security group rules having invalid CIDR values in the "remote_ip_prefix" parameter.
Two examples illustrates the problem: group-rule- create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix badprefix e89783db- 2c8c-43fd- 927d-51ca66841a 42 group_rule: ------- ------+ ------- ------- ------- ------- ------- ---+ ------- ------+ ------- ------- ------- ------- ------- ---+ 46d0-4090- 902c-29412eed1d 25 | 2c8c-43fd- 927d-51ca66841a 42 | 882dc5ac9991fcc 76 | ------- ------+ ------- ------- ------- ------- ------- ---+
$ neutron security-
Created a new security_
+------
| Field | Value |
+------
| direction | ingress |
| ethertype | IPv4 |
| id | bdb49ccd-
| port_range_max | 28069 |
| port_range_min | 28060 |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | badprefix |
| security_group_id | e89783db-
| tenant_id | e030326f884445a
+------
$ neutron security- group-rule- create --direction ingress --ethertype ipv4 --protocol tcp --port-range-min 28060 --port-range-max 28069 --remote-ip-prefix 10.11.12.0/33 e89783db- 2c8c-43fd- 927d-51ca66841a 42 group_rule: ------- ------+ ------- ------- ------- ------- ------- ---+ ------- ------+ ------- ------- ------- ------- ------- ---+ 410a-406a- 9be0-d7ff9dc56b 07 | 2c8c-43fd- 927d-51ca66841a 42 | 882dc5ac9991fcc 76 | ------- ------+ ------- ------- ------- ------- ------- ---+
Created a new security_
+------
| Field | Value |
+------
| direction | ingress |
| ethertype | IPv4 |
| id | 72a7c232-
| port_range_max | 28069 |
| port_range_min | 28060 |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | 10.11.12.0/33 |
| security_group_id | e89783db-
| tenant_id | e030326f884445a
+------
If I were to use the "nova secgroup-rule-add" instead of the neutron commands, the nova api server returns errors to the python-novaclient for both cases.