1852896 – [Octavia][OSP16.1] Layer 7 Policies and Rules can be created for UDP Listeners

Bug 1852896 - [Octavia][OSP16.1] Layer 7 Policies and Rules can be created for UDP Listeners

Summary: [Octavia][OSP16.1] Layer 7 Policies and Rules can be created for UDP Listeners

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-octavia
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z9
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Gregory Thiemonge
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-01 14:25 UTC by Bruna Bonguardo
Modified:	2022-12-07 20:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-octavia-5.0.3-1.20220628143400.8c32d2e.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-12-07 20:24:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack Storyboard	2007911	None	None	None	2020-07-10 14:27:45 UTC
OpenStack gerrit	740478	None	MERGED	Deny the creation of L7Policies for HTTPS/TCP/UDP listeners	2022-04-27 08:09:10 UTC
OpenStack gerrit	839492	None	MERGED	Deny the creation of L7Policies for HTTPS/TCP/UDP listeners	2022-06-22 06:55:27 UTC
Red Hat Issue Tracker	OSP-11807	None	None	None	2021-12-13 13:25:13 UTC
Red Hat Product Errata	RHBA-2022:8795	None	None	None	2022-12-07 20:25:20 UTC

Description Bruna Bonguardo 2020-07-01 14:25:06 UTC

Description of problem:
Octavia Layer 7 Policies and Policy rules can be created ~ although they shouldn't be able to be created, because UDP is a layer 4 protocol.

Version-Release number of selected component (if applicable):
$ cat /var/lib/rhos-release/latest-installed
16.1-trunk  -p RHOS-16.1-RHEL-8-20200625.n.0


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP 16.1 in HA
2. Create UDP laod balancer:
openstack loadbalancer create --name udp-lb --vip-subnet-id subnet_ipv4_1
3. Create UDP listener:
openstack loadbalancer listener create --name udp-listener --protocol UDP --protocol-port 12345 udp-lb
4. Create a L7 policy and connect it to the listener:
openstack loadbalancer l7policy create --action REDIRECT_TO_URL --redirect-url https://www.example.com/ --name policy1 udp-listener
5. Create a L7 rule and connect it to the L7 policy:
openstack loadbalancer l7rule create --compare-type EQUAL_TO --type HOST_NAME --value www2.example.com policy1


Actual results:
L7 policy and rule are created successfully:
(tester) [stack@undercloud-0 ~]$ openstack loadbalancer l7policy create --action REDIRECT_TO_URL --redirect-url https://www.example.com/ --name policy1 udp-listener
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| listener_id         | 66e7b6d4-b2c3-46d2-88b3-860d747fcffe |
| description         |                                      |
| admin_state_up      | True                                 |
| rules               |                                      |
| project_id          | 2c893b4070ae4a4ea54bfce5ffb45e02     |
| created_at          | 2020-07-01T10:04:57                  |
| provisioning_status | PENDING_CREATE                       |
| updated_at          | None                                 |
| redirect_pool_id    | None                                 |
| redirect_url        | https://www.example.com/             |
| redirect_prefix     | None                                 |
| action              | REDIRECT_TO_URL                      |
| position            | 1                                    |
| id                  | 7d44928b-9a6c-43ae-804e-42a8acf71e74 |
| operating_status    | OFFLINE                              |
| name                | policy1                              |
| redirect_http_code  | 302                                  |
+---------------------+--------------------------------------+
(tester) [stack@undercloud-0 ~]$ openstack loadbalancer l7policy list
+--------------------------------------+---------+----------------------------------+---------------------+-----------------+----------+----------------+
| id                                   | name    | project_id                       | provisioning_status | action          | position | admin_state_up |
+--------------------------------------+---------+----------------------------------+---------------------+-----------------+----------+----------------+
| 7d44928b-9a6c-43ae-804e-42a8acf71e74 | policy1 | 2c893b4070ae4a4ea54bfce5ffb45e02 | ACTIVE              | REDIRECT_TO_URL |        1 | True           |
+--------------------------------------+---------+----------------------------------+---------------------+-----------------+----------+----------------+
(tester) [stack@undercloud-0 ~]$ openstack loadbalancer l7rule create --compare-type EQUAL_TO --type HOST_NAME --value www2.example.com policy1
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| created_at          | 2020-07-01T10:08:28                  |
| compare_type        | EQUAL_TO                             |
| provisioning_status | PENDING_CREATE                       |
| invert              | False                                |
| admin_state_up      | True                                 |
| updated_at          | None                                 |
| value               | www2.example.com                     |
| key                 | None                                 |
| project_id          | 2c893b4070ae4a4ea54bfce5ffb45e02     |
| type                | HOST_NAME                            |
| id                  | d8eb616a-ff50-4849-a5fa-4037a35117e2 |
| operating_status    | OFFLINE                              |
+---------------------+--------------------------------------+
(tester) [stack@undercloud-0 ~]$ openstack loadbalancer l7policy list
+--------------------------------------+---------+----------------------------------+---------------------+-----------------+----------+----------------+
| id                                   | name    | project_id                       | provisioning_status | action          | position | admin_state_up |
+--------------------------------------+---------+----------------------------------+---------------------+-----------------+----------+----------------+
| 7d44928b-9a6c-43ae-804e-42a8acf71e74 | policy1 | 2c893b4070ae4a4ea54bfce5ffb45e02 | ACTIVE              | REDIRECT_TO_URL |        1 | True           |
+--------------------------------------+---------+----------------------------------+---------------------+-----------------+----------+----------------+
(tester) [stack@undercloud-0 ~]$ openstack loadbalancer l7rule list policy1
+--------------------------------------+----------------------------------+---------------------+--------------+-----------+------+------------------+--------+----------------+
| id                                   | project_id                       | provisioning_status | compare_type | type      | key  | value            | invert | admin_state_up |
+--------------------------------------+----------------------------------+---------------------+--------------+-----------+------+------------------+--------+----------------+
| d8eb616a-ff50-4849-a5fa-4037a35117e2 | 2c893b4070ae4a4ea54bfce5ffb45e02 | ACTIVE              | EQUAL_TO     | HOST_NAME | None | www2.example.com | False  | True           |
+--------------------------------------+----------------------------------+---------------------+--------------+-----------+------+------------------+--------+----------------+


Listener info:

(tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show udp-listener
+-----------------------------+--------------------------------------+
| Field                       | Value                                |
+-----------------------------+--------------------------------------+
| admin_state_up              | True                                 |
| connection_limit            | -1                                   |
| created_at                  | 2020-07-01T08:47:41                  |
| default_pool_id             | df8820b0-c641-41c6-914c-e69826ed7934 |
| default_tls_container_ref   | None                                 |
| description                 |                                      |
| id                          | 66e7b6d4-b2c3-46d2-88b3-860d747fcffe |
| insert_headers              | None                                 |
| l7policies                  | 7d44928b-9a6c-43ae-804e-42a8acf71e74 |
| loadbalancers               | 259d9154-2aa0-4548-9fa9-c80df498926e |
| name                        | udp-listener                         |
| operating_status            | ONLINE                               |
| project_id                  | 2c893b4070ae4a4ea54bfce5ffb45e02     |
| protocol                    | UDP                                  |
| protocol_port               | 12345                                |
| provisioning_status         | ACTIVE                               |
| sni_container_refs          | []                                   |
| timeout_client_data         | 50000                                |
| timeout_member_connect      | 5000                                 |
| timeout_member_data         | 50000                                |
| timeout_tcp_inspect         | 0                                    |
| updated_at                  | 2020-07-01T10:08:30                  |
| client_ca_tls_container_ref | None                                 |
| client_authentication       | NONE                                 |
| client_crl_container_ref    | None                                 |
| allowed_cidrs               | None                                 |
+-----------------------------+--------------------------------------+


Expected results:
An error message of this kind should be seen: "Cannot create a L7 policy/rule for a UDP/Layer4 protocol".

Comment 3 Gregory Thiemonge 2022-04-27 08:20:23 UTC

Backport proposed to stable/train

Comment 12 errata-xmlrpc 2022-12-07 20:24:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.9 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8795

Note You need to log in before you can comment on or make changes to this bug.