diff options
| author | Russell Bryant <rbryant@redhat.com> | 2012-03-07 15:03:35 -0500 |
|---|---|---|
| committer | Vishvananda Ishaya <vishvananda@gmail.com> | 2012-03-09 17:16:53 -0800 |
| commit | ee0bb74cbcf521071965ccd63f8232e8c434229d (patch) | |
| tree | ebb2e1af08db7c97720a3167bbd8d212b8fc886a /nova/api | |
| parent | bd2d89dd567dc8544201042487ac23c2096a4b8d (diff) | |
| download | nova-ee0bb74cbcf521071965ccd63f8232e8c434229d.tar.gz nova-ee0bb74cbcf521071965ccd63f8232e8c434229d.tar.xz nova-ee0bb74cbcf521071965ccd63f8232e8c434229d.zip | |
Fix issues with security group auths without ports.
Fix bug 946427.
There was a bug where a security group would get completely opened in
cases where only icmp, udp, or tcp should be opened. For example, any
of the following three commands would result in opening everything:
euca-authorize -P icmp -o test-ports test-ports
euca-authorize -P tcp -o test-ports test-ports
euca-authorize -P udp -o test-ports test-ports
This patch resolves this and these commands now only open the protocol
that was specified. Unit tests have been added to verify the fix and
also verify that this only works when a source group is specified.
While the bug was originally reported against the EC2 API, the same
updates and similar unit tests have gone in to the equivalent code for
the OpenStack API.
Change-Id: I4c87c5f5f4ccee60c6c16da4e659d73ab3f4a34f
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/ec2/cloud.py | 12 | ||||
| -rw-r--r-- | nova/api/openstack/compute/contrib/security_groups.py | 12 |
2 files changed, 24 insertions, 0 deletions
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 25d6c1c81..c5cc1feb0 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -544,6 +544,18 @@ class CloudController(object): else: values['cidr'] = '0.0.0.0/0' + if source_security_group_name: + # Open everything if an explicit port range or type/code are not + # specified, but only if a source group was specified. + ip_proto_upper = ip_protocol.upper() if ip_protocol else '' + if ip_proto_upper == 'ICMP' and not from_port and not to_port: + from_port = -1 + to_port = -1 + elif (ip_proto_upper in ['TCP', 'UDP'] and not from_port + and not to_port): + from_port = 1 + to_port = 65535 + if ip_protocol and from_port and to_port: ip_protocol = str(ip_protocol) diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py index 9a4cdc7e8..bc4551ec7 100644 --- a/nova/api/openstack/compute/contrib/security_groups.py +++ b/nova/api/openstack/compute/contrib/security_groups.py @@ -436,6 +436,18 @@ class SecurityGroupRulesController(SecurityGroupControllerBase): else: values['cidr'] = '0.0.0.0/0' + if group_id: + # Open everything if an explicit port range or type/code are not + # specified, but only if a source group was specified. + ip_proto_upper = ip_protocol.upper() if ip_protocol else '' + if ip_proto_upper == 'ICMP' and not from_port and not to_port: + from_port = -1 + to_port = -1 + elif (ip_proto_upper in ['TCP', 'UDP'] and not from_port + and not to_port): + from_port = 1 + to_port = 65535 + if ip_protocol and from_port and to_port: ip_protocol = str(ip_protocol) |