Bug 978354 - port range validation is wrong for icmp security group rule
port range validation is wrong for icmp security group rule
Status: CLOSED CURRENTRELEASE
Product: RDO
Classification: Community
Component: openstack-neutron (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: RHOS Maint
Ofer Blaut
:
Depends On:
Blocks: 981133
  Show dependency treegraph
 
Reported: 2013-06-26 08:42 EDT by Etsuji Nakai
Modified: 2016-04-26 16:14 EDT (History)
4 users (show)

See Also:
Fixed In Version: 2013.2-0.3.b2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 981133 (view as bug list)
Environment:
Last Closed: 2013-11-13 08:08:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sample patch (just to indicate the cause of the problem) (1.70 KB, patch)
2013-06-26 08:42 EDT, Etsuji Nakai
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1197769 None None None Never

  None (edit)
Description Etsuji Nakai 2013-06-26 08:42:32 EDT
Created attachment 765551 [details]
sample patch (just to indicate the cause of the problem)

Description of problem:

You cannot add a security group rule such as:

protocol: icmp
type: 8
code: 0

It causes the following error:

2013-06-26 21:15:47.348 15711 TRACE nova.api.openstack QuantumClientException: For TCP/UDP protocols, port_range_min must be <= port_range_max

I'm using the Horizon dashboard to add the rule, but it would be the same for a direct API operation.


Version-Release number of selected component (if applicable):

# rpm -qa | grep quantum
python-quantumclient-2.2.1-3.fc19.noarch
python-quantum-2013.1.2-1.fc19.noarch
openstack-quantum-openvswitch-2013.1.2-1.fc19.noarch
openstack-quantum-2013.1.2-1.fc19.noarch


Additional info:

The problem lies in _validate_security_group_rules() in quantum/db/securitygroups_db.py

In this function, the following condition is validated.

  rule['port_range_min'] <= rule['port_range_max']

But in the case of ICMP protocol rule, since rule['port_range_min'] and rule['port_range_max'] correspond to icmp type and code, this validation is wrong. Instead, the following condition should be checked.

                if ( rule['port_range_min'] >= -1 and
                     rule['port_range_min'] <= 255 and
                     rule['port_range_max'] >= -1 and
                     rule['port_range_max'] <= 255):

See the attachment for my patch, but this is just a quick hack. More fundamental refactoring should be done to handle different protocols separately.
Comment 1 lpeer 2013-08-21 07:43:21 EDT
A mitigation for this issue is to open ALL ICMP type range (set min==max==0).

A more granular configuration, like enabling only ping (type-8), is not supported in the Havana code base.
Comment 2 Jakub Libosvar 2013-11-13 08:08:27 EST
Fixed upstream in July https://review.openstack.org/#/c/35736/

Note You need to log in before you can comment on or make changes to this bug.