Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 978354

Summary: port range validation is wrong for icmp security group rule
Product: [Community] RDO Reporter: Etsuji Nakai <enakai>
Component: openstack-neutronAssignee: RHOS Maint <rhos-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Ofer Blaut <oblaut>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chrisw, jkt, jlibosva, lpeer
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 2013.2-0.3.b2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 981133 (view as bug list) Environment:
Last Closed: 2013-11-13 13:08:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 981133    
Attachments:
Description Flags
sample patch (just to indicate the cause of the problem) none

Description Etsuji Nakai 2013-06-26 12:42:32 UTC 
Created attachment 765551 [details]
sample patch (just to indicate the cause of the problem)

Description of problem:

You cannot add a security group rule such as:

protocol: icmp
type: 8
code: 0

It causes the following error:

2013-06-26 21:15:47.348 15711 TRACE nova.api.openstack QuantumClientException: For TCP/UDP protocols, port_range_min must be <= port_range_max

I'm using the Horizon dashboard to add the rule, but it would be the same for a direct API operation.


Version-Release number of selected component (if applicable):

# rpm -qa | grep quantum
python-quantumclient-2.2.1-3.fc19.noarch
python-quantum-2013.1.2-1.fc19.noarch
openstack-quantum-openvswitch-2013.1.2-1.fc19.noarch
openstack-quantum-2013.1.2-1.fc19.noarch


Additional info:

The problem lies in _validate_security_group_rules() in quantum/db/securitygroups_db.py

In this function, the following condition is validated.

  rule['port_range_min'] <= rule['port_range_max']

But in the case of ICMP protocol rule, since rule['port_range_min'] and rule['port_range_max'] correspond to icmp type and code, this validation is wrong. Instead, the following condition should be checked.

                if ( rule['port_range_min'] >= -1 and
                     rule['port_range_min'] <= 255 and
                     rule['port_range_max'] >= -1 and
                     rule['port_range_max'] <= 255):

See the attachment for my patch, but this is just a quick hack. More fundamental refactoring should be done to handle different protocols separately.
Comment 1 lpeer 2013-08-21 11:43:21 UTC 
A mitigation for this issue is to open ALL ICMP type range (set min==max==0).

A more granular configuration, like enabling only ping (type-8), is not supported in the Havana code base.
Comment 2 Jakub Libosvar 2013-11-13 13:08:27 UTC 
Fixed upstream in July https://review.openstack.org/#/c/35736/