Red Hat Bugzilla – Bug 978354
port range validation is wrong for icmp security group rule
Last modified: 2016-04-26 16:14:11 EDT
Created attachment 765551 [details]
sample patch (just to indicate the cause of the problem)
Description of problem:
You cannot add a security group rule such as:
It causes the following error:
2013-06-26 21:15:47.348 15711 TRACE nova.api.openstack QuantumClientException: For TCP/UDP protocols, port_range_min must be <= port_range_max
I'm using the Horizon dashboard to add the rule, but it would be the same for a direct API operation.
Version-Release number of selected component (if applicable):
# rpm -qa | grep quantum
The problem lies in _validate_security_group_rules() in quantum/db/securitygroups_db.py
In this function, the following condition is validated.
rule['port_range_min'] <= rule['port_range_max']
But in the case of ICMP protocol rule, since rule['port_range_min'] and rule['port_range_max'] correspond to icmp type and code, this validation is wrong. Instead, the following condition should be checked.
if ( rule['port_range_min'] >= -1 and
rule['port_range_min'] <= 255 and
rule['port_range_max'] >= -1 and
rule['port_range_max'] <= 255):
See the attachment for my patch, but this is just a quick hack. More fundamental refactoring should be done to handle different protocols separately.
A mitigation for this issue is to open ALL ICMP type range (set min==max==0).
A more granular configuration, like enabling only ping (type-8), is not supported in the Havana code base.
Fixed upstream in July https://review.openstack.org/#/c/35736/