978354 – port range validation is wrong for icmp security group rule

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 978354 - port range validation is wrong for icmp security group rule

Summary: port range validation is wrong for icmp security group rule

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-neutron
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	RHOS Maint
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	981133
TreeView+	depends on / blocked

Reported:	2013-06-26 12:42 UTC by Etsuji Nakai
Modified:	2016-04-26 20:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:	2013.2-0.3.b2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	981133 (view as bug list)
Environment:
Last Closed:	2013-11-13 13:08:27 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sample patch (just to indicate the cause of the problem) (1.70 KB, patch) 2013-06-26 12:42 UTC, Etsuji Nakai	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1197769	0	None	None	None	Never

Description Etsuji Nakai 2013-06-26 12:42:32 UTC

Created attachment 765551 [details]
sample patch (just to indicate the cause of the problem)

Description of problem:

You cannot add a security group rule such as:

protocol: icmp
type: 8
code: 0

It causes the following error:

2013-06-26 21:15:47.348 15711 TRACE nova.api.openstack QuantumClientException: For TCP/UDP protocols, port_range_min must be <= port_range_max

I'm using the Horizon dashboard to add the rule, but it would be the same for a direct API operation.


Version-Release number of selected component (if applicable):

# rpm -qa | grep quantum
python-quantumclient-2.2.1-3.fc19.noarch
python-quantum-2013.1.2-1.fc19.noarch
openstack-quantum-openvswitch-2013.1.2-1.fc19.noarch
openstack-quantum-2013.1.2-1.fc19.noarch


Additional info:

The problem lies in _validate_security_group_rules() in quantum/db/securitygroups_db.py

In this function, the following condition is validated.

  rule['port_range_min'] <= rule['port_range_max']

But in the case of ICMP protocol rule, since rule['port_range_min'] and rule['port_range_max'] correspond to icmp type and code, this validation is wrong. Instead, the following condition should be checked.

                if ( rule['port_range_min'] >= -1 and
                     rule['port_range_min'] <= 255 and
                     rule['port_range_max'] >= -1 and
                     rule['port_range_max'] <= 255):

See the attachment for my patch, but this is just a quick hack. More fundamental refactoring should be done to handle different protocols separately.

Comment 1 lpeer 2013-08-21 11:43:21 UTC

A mitigation for this issue is to open ALL ICMP type range (set min==max==0).

A more granular configuration, like enabling only ping (type-8), is not supported in the Havana code base.

Comment 2 Jakub Libosvar 2013-11-13 13:08:27 UTC

Fixed upstream in July https://review.openstack.org/#/c/35736/

Note You need to log in before you can comment on or make changes to this bug.