Reviewed: https://review.openstack.org/331416 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=785656744a6883b22972da0d867b36b699d6b15c Submitter: Jenkins Branch: master
commit 785656744a6883b22972da0d867b36b699d6b15c Author: yujie <[email protected]> Date: Thu Jul 7 12:49:34 2016 +0800 Fix duplicated sg rules check for remote_ip_prefix Security group rule setting remote_ip_prefix 0.0.0.0/0 for ipv4 or ::/0 for ipv6 plays the same role as the sg rules without setting remote_ip_prefix. We could treat them as duplicate. Change-Id: Ic9213e77d3b03aded7fc34d486066c8af4a3b2a1 Closes-Bug: #1534113 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1534113 Title: default sg could add same rule as original egress ipv4 rule Status in neutron: Fix Released Bug description: In default securitygroup, we could add a rule in default same as the original egress ipv4 rule. Reproduce step: # neutron security-group-rule-create --direction egress --remote-ip-prefix 0.0.0.0/0 default It returns: Created a new security_group_rule: +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | direction | egress | | ethertype | IPv4 | | id | d8f968e2-270b-4d6e-a2d0-a408726b7edc | | port_range_max | | | port_range_min | | | protocol | | | remote_group_id | | | remote_ip_prefix | 0.0.0.0/0 | | security_group_id | 9a2c0d86-4a36-46d4-a4da-43a239003eef | | tenant_id | 52953da91c0e47528d5317867391aaec | +-------------------+--------------------------------------+ Actually we expect that "Security group rule already exists. Rule id is xxxxx". UPDATE( Same as #4 ): Comment #3 makes a mistake. The description above seems related to --remote-ip-prefix. 1. Create sg-rule rule1 setting no --remote-ip-prefix. # neutron security-group-rule-create --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2 2. Create sg-rule rule2 same as rule1 except that --remote-ip-prefix 0.0.0.0/0. # neutron security-group-rule-create --remote-ip-prefix 0.0.0.0/0 --direction ingress 0aced031-542f-40f0-87d7-d20dfc6b0ea2 Both rules could create successfully. In dashboard, the two rules looks the same. Using neutronclient show them: rule1: +--------------------------------+------------------------------+ | Field | Value | +--------------------------------+------------------------------+ | direction | ingress | | ethertype | IPv4 | | id | 58999af2-266a-422f-9b41-c38b69bb72ef | | port_range_max | | | port_range_min | | | protocol | | | remote_group_id | | | remote_ip_prefix | | | security_group_id | 0aced031-542f-40f0-87d7-d20dfc6b0ea2 | | tenant_id | 60f2bf725b0046ef9e2c470b528a25f6 | +--------------------------------+------------------------------+ rule2: +--------------------------------+----------------------------+ | Field | Value | +--------------------------------+----------------------------+ | direction | ingress | | ethertype | IPv4 | | id | dbaed060-2c94-44df-b0b9-6852c6d3ed0e | | port_range_max | | | port_range_min | | | protocol | | | remote_group_id | | | remote_ip_prefix | 0.0.0.0/0 | | security_group_id | 0aced031-542f-40f0-87d7-d20dfc6b0ea2 | | tenant_id | 60f2bf725b0046ef9e2c470b528a25f6 | +--------------------------------+----------------------------+ When create instance using this sg, in iptables the two sg rules only convert to one rule in neutron-openvswi-ixxxxx. So when check duplicate rules we should take more effort to treat rule1 and rule2 as the same. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1534113/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
