Reviewed: https://review.opendev.org/c/openstack/neutron/+/926498 Committed: https://opendev.org/openstack/neutron/commit/81375f0b2be1727e2223393562b309f23ae4fa49 Submitter: "Zuul (22348)" Branch: master
commit 81375f0b2be1727e2223393562b309f23ae4fa49 Author: Brian Haley <[email protected]> Date: Sat Aug 17 19:37:36 2024 -0400 Add special treatment for 'any' in SG rule API The openstack client changes the protocol to None in the case that 'any' is given as an argument when creating a security group rule. But using 'any' in a POST call will return an error saying it is invalid. Add special treatment for 'any' as a protocol value in the API by treating it the same as None, but do not use the 'any' string when creating the DB entry, it is only treated as an alias. Closes-bug: #2074056 Change-Id: Ic88ae2c249eb2cd1af1ebbf6707c707f51a52638 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2074056 Title: Invalid documented security group rule protocol "any" Status in neutron: Fix Released Bug description: The Networking API specification v2.0 for security group rule creation[1] states that: > The string any (or integer 0) means all IP protocols. However, attempting to create a security group rule with protocol "any" results in a 400 Bad Request: ``` curl -g -i -X POST \ 'https://neutron.example:13696/v2.0/security-group-rules' \ -H "Content-Type: application/json" \ -H "X-Auth-Token: valid-token" \ -d '{"security_group_rule": {"ethertype": "IPv4", "security_group_id": "f2746bac-1c1f-42b6-8791-fc1b1448fa0e", "remote_ip_prefix": "0.0.0.0/0", "direction": "ingress", "protocol": "any"}}' HTTP/1.1 400 Bad Request content-type: application/json content-length: 450 x-openstack-request-id: req-a2d167b4-5d7f-4bf3-9c60-7823b2122efc date: Thu, 25 Jul 2024 08:11:49 GMT {"NeutronError": {"type": "SecurityGroupRuleInvalidProtocol", "message": "Security group rule protocol any not supported. Only protocol values [None, 'ah', 'dccp', 'egp', 'esp', 'gre', 'hopopt', 'icmp', 'igmp', 'ip', 'ipip', 'ipv6-encap', 'ipv6-frag', 'ipv6-icmp', 'icmpv6', 'ipv6-nonxt', 'ipv6-opts', 'ipv6-route', 'ospf', 'pgm', 'rsvp', 'sctp', 'tcp', 'udp', 'udplite', 'vrrp'] and integer representations [0 to 255] are supported.", "detail": ""}} ``` Tested on RHOSP 17.1, which is based on Wallaby according to its docs[2]. There appear to be multiple ways to create security group rules that apply regardless of the protocol: - protocol value set to number zero or string zero: `"protocol": 0` `"protocol": "0"` - protocol value set to null or unset: `"protocol": null` - protocol value set to the empty string: `"protocol": ""` I have grouped them by how they conflict. In other words: you can have a security group containing three of these rules (zero, null, empty) that won't conflict with each other at creation. My questions: - These three "protocol" values are stored differently. Do they behave exactly the same? - Is there a preferred way to create a rule that applies to any protocol? - Is the documentation effectively wrong about the value "any", or am I missing something? Thank you. [1]: https://docs.openstack.org/api-ref/network/v2/#create-security-group-rule [2]: https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/release_notes/chap-introduction#about-this-release_relnotes-intro To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2074056/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
