[Bug 1749667] Please test proposed package

Corey Bryant corey.bryant at canonical.com
Wed Nov 28 02:14:28 UTC 2018 

Hello Ian, or anyone else affected,

Accepted neutron into ocata-proposed. The package will build now and be
available in the Ubuntu Cloud Archive in a few hours, and then in the
-proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-ocata-needed to verification-ocata-done. If it does
not fix the bug for you, please add a comment stating that, and change
the tag to verification-ocata-failed. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: cloud-archive/ocata
       Status: Triaged => Fix Committed

** Tags added: verification-ocata-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1749667

Title:
  [SRU] neutron doesn't correctly handle unknown protocols and should
  whitelist known and handled protocols

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Committed
Status in neutron:
  Fix Released

Bug description:
  [Impact]
  Neutron allowed users to create security group rules that would translate to invalid iptables rules thus causing neutron to fail when it attempted to apply them. This is now fixed for >= Pike and we are backporting for Ocata.

  [Test Case]
    * deploy openstack ocata
    * create an invalid security group rule e.g.

  openstack security group rule create --protocol gre --dst-port 0:255
  jmclane

    * check that request is rejected with e.g.

  Error while executing command: BadRequestException: Unknown error, {"NeutronError": {"message": "Invalid protocol 47 for port range, only supported for TCP, UDP, UDPLITE│·········································································································
  , SCTP and DCCP.", "type": "SecurityGroupInvalidProtocolForPortRange", "detail": ""}}

  [Regression Potential]
  Upgrading to this patch will reject new api requests that try to create invalid rules but will not cleanup invalid rules already extant.

  Note also that the backported ocata patch is unchanged from pike.

  -----------------------------------------------------------------------------

  We have had problems with openvswitch agent continuously restarting
  and never actually completing setup because of this:

  # Completed by iptables_manager
  ; Stdout: ; Stderr: iptables-restore v1.4.21: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP
  Error occurred at line: 83
  Try `iptables-restore -h' or 'iptables-restore --help' for more information.

      83. -I neutron-openvswi-<id> 69 -s <ip> -p 112 -m multiport --dports 1:65535 -j RETURN
  ---

  Someone has managed to inject a rule that is, effectively, a DoS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1749667/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list