[SRU] neutron doesn't correctly handle unknown protocols and should whitelist known and handled protocols

The web ui seems to handle this, but the API doesn't

I can reproduce this, for example:

$ openstack security group rule create --ingress --protocol 70 --dst-port 70:71 default

Although the security DB code does check the range, it only does it for protocols it knows support it like TCP. There should be a check to reject a range if it's not a known good protocol.

I'm working on a change now.

Fix proposed to branch: master
Review: https://review.openstack.org/545091

I think it would also be needed to have the iptables code to fail as cleanly as possible in case iptables rejets what we ask.

Reviewed: https://review.openstack.org/545091
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b564871bb759a38cf96527f94e7c7d4cc760b1c9
Submitter: Zuul
Branch: master

commit b564871bb759a38cf96527f94e7c7d4cc760b1c9
Author: Brian Haley <email address hidden>
Date: Thu Feb 15 13:57:32 2018 -0500

    Only allow SG port ranges for whitelisted protocols

    Iptables only supports port-ranges for certain protocols,
    others will generate failures, possibly leaving the agent
    looping trying to apply rules. Change to not allow port
    ranges outside of the list of known good protocols.

    Change-Id: I5867f77fc5aedc169b42f50def0424ff209c164c
    Closes-bug: #1749667

This issue was fixed in the openstack/neutron 13.0.0.0b1 development milestone.

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/566921

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/566922

Considering this bug is described as a potential DOS attack, I think it merits backports to pike and queens. Brian, your patch is a clean cherry-pick to queens and has only an apparently trivial test case conflict in pike, so I've taken a stab at just chucking those up. This is not meant to indicate that I know what I'm doing, so please take this with a grain of salt. :)

Reviewed: https://review.openstack.org/566921
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7559512135d4dde16e019c94990a33b2603587b1
Submitter: Zuul
Branch: stable/queens

commit 7559512135d4dde16e019c94990a33b2603587b1
Author: Brian Haley <email address hidden>
Date: Thu Feb 15 13:57:32 2018 -0500

    Only allow SG port ranges for whitelisted protocols

    Iptables only supports port-ranges for certain protocols,
    others will generate failures, possibly leaving the agent
    looping trying to apply rules. Change to not allow port
    ranges outside of the list of known good protocols.

    Change-Id: I5867f77fc5aedc169b42f50def0424ff209c164c
    Closes-bug: #1749667
    (cherry picked from commit b564871bb759a38cf96527f94e7c7d4cc760b1c9)

Reviewed: https://review.openstack.org/566922
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d8f9c9447020f1708ebac2b210e3bfe1dbefe3fa
Submitter: Zuul
Branch: stable/pike

commit d8f9c9447020f1708ebac2b210e3bfe1dbefe3fa
Author: Brian Haley <email address hidden>
Date: Thu Feb 15 13:57:32 2018 -0500

    Only allow SG port ranges for whitelisted protocols

    Iptables only supports port-ranges for certain protocols,
    others will generate failures, possibly leaving the agent
    looping trying to apply rules. Change to not allow port
    ranges outside of the list of known good protocols.

    This backport is based on commit
    b564871bb759a38cf96527f94e7c7d4cc760b1c9, excluding validation
    and tests for protocols where support for port ranges was
    added later (in Pike, only TCP and UDP are supported).

    Conflicts:
        neutron/tests/unit/db/test_securitygroups_db.py

    Change-Id: I5867f77fc5aedc169b42f50def0424ff209c164c
    Closes-bug: #1749667
    (cherry picked from commit b564871bb759a38cf96527f94e7c7d4cc760b1c9)

This issue was fixed in the openstack/neutron 12.0.3 release.

This issue was fixed in the openstack/neutron 11.0.5 release.

Hello Ian, or anyone else affected,

Accepted neutron into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verified:

⟫ openstack security group rule create --protocol gre --dst-port 0:255 default
Error while executing command: BadRequestException: Unknown error, {"NeutronError": {"message": "Invalid protocol 47 for port range, only supported for TCP and UDP.", "type": "SecurityGroupInvalidProtocolForPortRange", "detail": ""}}

The verification of the Stable Release Update for neutron has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package neutron - 2:10.0.7-0ubuntu1~cloud1
---------------

 neutron (2:10.0.7-0ubuntu1~cloud1) xenial-ocata; urgency=medium
 .
   * Backport security-group multiport iptables rule fix (LP: #1749667)
     - d/p/Only-allow-SG-port-ranges-for-whitelisted-protocols.patch