Comment 17 for bug 985184
Revision history for this message
| Phil Day (philip-day) wrote RE: [Bug 985184] Re: Security groups fail to be set correctly if incorrect case is used for protocol specification | #17 |
Sounds good to me
-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Robert Clark
Sent: 24 April 2012 17:06
To: Day, Phil
Subject: [Bug 985184] Re: Security groups fail to be set correctly if incorrect case is used for protocol specification
Ok, so I missed Vish's patch, Phil just pointed out that with his fix, changes to the DB aren't required.
This would still leave flaky values in the DB. I guess I'd like to see a fix where:
A) Data enters the DB in the correct state (this makes late queries and as-yet unwritten code - simpler).
B) Security Group code is robust to bad data currently in the DB
C) Advice for people who wish to clean the DB
Thoughts?
--
You received this bug notification because you are subscribed to the bug report.
https:/
Title:
Security groups fail to be set correctly if incorrect case is used for
protocol specification
Status in OpenStack Compute (Nova):
Triaged
Bug description:
The high level issue is that if a security group rule is specified
with the protocol in uppercase (e.g. TCP instead of tcp) on a system
using the IpTablesFirewal
fail to be properly applied, leading to security groups that are more
open than specified.
The detail of the issue is as follows (Described from the OSAPI
perspective, but the problem also exists on EC2)
When a security group rule is specified with the protocol in upper case it is validated (contrig/
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
…
values[
When the security group refresh is triggered (virt/firewall.py – instance_rules() the protocol check is case sensitive:
Because the protocol doesn’t match ‘udp’ or ‘tcp’ the protocol part of
the rule is skipped, leading to an incomplete and invalid iptables
command line.
To manage notifications about this bug go to:
https:/