Public bug reported: Creating a security group rule with ethertype IPv4 and an IPv6 protocol integer succeeds when it should fail.
1. create security group, 'mygroup' 2. create security group rule --protocol 43 --ethertype IPv4 mygroup Expected output: ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca) Actual output: ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol 43 --ethertype IPv4 mygroup +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2017-07-25T00:34:46Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 230d5bd4-4be5-4814-a80a-b8aa74d8f5d2 | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 4cdd24e0cfb54cf49aef2da436884a7a | | protocol | 43 | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 439a1eb6-37a6-45ff-adb6-87aa87e8b68c | | updated_at | 2017-07-25T00:34:46Z | +-------------------+--------------------------------------+ The problem is here neutron/db/securitygroups_db.py: if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP, constants.PROTO_NAME_IPV6_FRAG, constants.PROTO_NAME_IPV6_ICMP, constants.PROTO_NAME_IPV6_ICMP_LEGACY, constants.PROTO_NAME_IPV6_NONXT, constants.PROTO_NAME_IPV6_OPTS, constants.PROTO_NAME_IPV6_ROUTE]: if rule['ethertype'] == constants.IPv4: raise ext_sg.SecurityGroupEthertypeConflictWithProtocol( ethertype=rule['ethertype'], protocol=rule['protocol']) It should check for numbers and names from neutron_lib constants. ** Affects: neutron Importance: Undecided Assignee: Trevor McCasland (twm2016) Status: New ** Changed in: neutron Assignee: (unassigned) => Trevor McCasland (twm2016) ** Description changed: Creating a security group rule with ethertype IPv4 and an IPv6 protocol - integer, see . + integer succeeds when it should fail. 1. create security group, 'mygroup' 2. create security group rule --protocol 43 --ethertype IPv4 mygroup Expected output: ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca) Actual output: ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol 43 --ethertype IPv4 mygroup +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2017-07-25T00:34:46Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 230d5bd4-4be5-4814-a80a-b8aa74d8f5d2 | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 4cdd24e0cfb54cf49aef2da436884a7a | | protocol | 43 | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 439a1eb6-37a6-45ff-adb6-87aa87e8b68c | | updated_at | 2017-07-25T00:34:46Z | +-------------------+--------------------------------------+ - The problem is here neutron/db/securitygroups_db.py: if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP, - constants.PROTO_NAME_IPV6_FRAG, - constants.PROTO_NAME_IPV6_ICMP, - constants.PROTO_NAME_IPV6_ICMP_LEGACY, - constants.PROTO_NAME_IPV6_NONXT, - constants.PROTO_NAME_IPV6_OPTS, - constants.PROTO_NAME_IPV6_ROUTE]: - if rule['ethertype'] == constants.IPv4: - raise ext_sg.SecurityGroupEthertypeConflictWithProtocol( - ethertype=rule['ethertype'], protocol=rule['protocol']) - + constants.PROTO_NAME_IPV6_FRAG, + constants.PROTO_NAME_IPV6_ICMP, + constants.PROTO_NAME_IPV6_ICMP_LEGACY, + constants.PROTO_NAME_IPV6_NONXT, + constants.PROTO_NAME_IPV6_OPTS, + constants.PROTO_NAME_IPV6_ROUTE]: + if rule['ethertype'] == constants.IPv4: + raise ext_sg.SecurityGroupEthertypeConflictWithProtocol( + ethertype=rule['ethertype'], protocol=rule['protocol']) It should check for numbers and names from neutron_lib constants. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1706229 Title: security group: ipv6 protocol integer works in ipv4 ethertype Status in neutron: New Bug description: Creating a security group rule with ethertype IPv4 and an IPv6 protocol integer succeeds when it should fail. 1. create security group, 'mygroup' 2. create security group rule --protocol 43 --ethertype IPv4 mygroup Expected output: ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol ipv6-route --ethertype IPv4 mygroup Error while executing command: Bad Request (HTTP 400) (Request-ID: req-c51a4492-3f9f-4381-98c4-8331d4366cca) Actual output: ubuntu@ubuntu:/opt/stack/tempest$ openstack security group rule create --protocol 43 --ethertype IPv4 mygroup +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2017-07-25T00:34:46Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 230d5bd4-4be5-4814-a80a-b8aa74d8f5d2 | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 4cdd24e0cfb54cf49aef2da436884a7a | | protocol | 43 | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 439a1eb6-37a6-45ff-adb6-87aa87e8b68c | | updated_at | 2017-07-25T00:34:46Z | +-------------------+--------------------------------------+ The problem is here neutron/db/securitygroups_db.py: if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP, constants.PROTO_NAME_IPV6_FRAG, constants.PROTO_NAME_IPV6_ICMP, constants.PROTO_NAME_IPV6_ICMP_LEGACY, constants.PROTO_NAME_IPV6_NONXT, constants.PROTO_NAME_IPV6_OPTS, constants.PROTO_NAME_IPV6_ROUTE]: if rule['ethertype'] == constants.IPv4: raise ext_sg.SecurityGroupEthertypeConflictWithProtocol( ethertype=rule['ethertype'], protocol=rule['protocol']) It should check for numbers and names from neutron_lib constants. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1706229/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp