[Yahoo-eng-team] [Bug 1818385] [NEW] It's possible to add a security group rule for VRRP with a dport

Erik Olof Gunnar Andersson Sat, 02 Mar 2019 20:51:31 -0800

Public bug reported:

This command should be invalid, but Neutron (Rocky) allows it to be created. 
> openstack security group rule create xxx --protocol vrrp --ingress 
> --remote-ip <ip> --dst-port 112


Since iptables does not allow dst-port being passed. It would trigger the 
following error on the compute.
> unknown option "--dport"

I would have created this as a security vulnerability, but it's already
been mentioned on IRC.

** Affects: neutron
     Importance: Undecided
         Status: New

** Description changed:

- This command should be invalid, but Neutron (Rocky) allows it to be created. 
Since iptables does not allow dst-port being passed.
+ This command should be invalid, but Neutron (Rocky) allows it to be created. 
  > openstack security group rule create xxx --protocol vrrp --ingress 
--remote-ip <ip> --dst-port 112
  
- It would trigger the following error on the compute site.
+ Since iptables does not allow dst-port being passed. It would trigger the 
following error on the compute.
  > unknown option "--dport"
  
- I would create this as a security vulnerability, but it's already been
- mentioned on IRC.
+ I would have created this as a security vulnerability, but it's already
+ been mentioned on IRC.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1818385

Title:
  It's possible to add a security group rule for VRRP with a dport

Status in neutron:
  New

Bug description:
  This command should be invalid, but Neutron (Rocky) allows it to be created. 
  > openstack security group rule create xxx --protocol vrrp --ingress 
--remote-ip <ip> --dst-port 112

  Since iptables does not allow dst-port being passed. It would trigger the 
following error on the compute.
  > unknown option "--dport"

  I would have created this as a security vulnerability, but it's
  already been mentioned on IRC.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1818385/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1818385] [NEW] It's possible to add a security group rule for VRRP with a dport

Reply via email to