Disallow setting /0 for network other than 0.0.0.0

If something like 15.0.0.0/0 is set as an IP address range it ends up
being identical to 0.0.0.0/0 (i.e all access) which I don't think is
the intent of the user when they make the API call.

Change-Id: I3fc05371f461112feae4f1097777fede5fc6b948

1 files changed, 7 insertions, 0 deletions

diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py
index a15c395ae..c49e7af70 100644
--- a/nova/api/openstack/compute/contrib/security_groups.py
+++ b/nova/api/openstack/compute/contrib/security_groups.py
@@ -30,6 +30,7 @@ from nova.compute import api as compute_api
 from nova import db
 from nova import exception
 from nova.openstack.common import log as logging
+from nova.virt import netutils
 
 LOG = logging.getLogger(__name__)
 authorize = extensions.extension_authorizer('compute', 'security_groups')
@@ -332,6 +333,12 @@ class SecurityGroupRulesController(SecurityGroupControllerBase):
 
         values['parent_group_id'] = security_group.id
 
+        if 'cidr' in values:
+            net, prefixlen = netutils.get_net_and_prefixlen(values['cidr'])
+            if net != '0.0.0.0' and prefixlen == '0':
+                msg = _("Bad prefix for network in cidr %s") % values['cidr']
+                raise exc.HTTPBadRequest(explanation=msg)
+
         if self.security_group_api.rule_exists(security_group, values):
             msg = _('This rule already exists in group %s') % parent_group_id
             raise exc.HTTPBadRequest(explanation=msg)