| *** mhen_ is now known as mhen | 01:29 | |
| pmbraat | Hi. I'm experiencing/noticed something weird in an instance of OpenStack I'm using: I have a network security group attached to a compute instance. When I create a certain rule in this security group _all_ ingress ports are opened, not just the port specified in the rule. This issue occurs when I send an empty string in the remote_ip_prefix parameter. Is this a known issue? Is it a bug in OpenStack or | 07:15 |
|---|---|---|
| pmbraat | is the instance I'm using probably somehow misconfigured? | 07:15 |
| pmbraat | FYI: I have no experience managing or configuring OpenStack itself. I'm just a "simple user" of this one OpenStack instance. So I'm unable to test this in another instance. | 07:16 |
| pmbraat | Example of json sent to the network API /v2.0/security-group-rules : {"security_group_rule":{"direction":"ingress","ethertype":"IPv4","protocol":"tcp","port_range_min":"1234","port_range_max":"1234","remote_ip_prefix":"","security_group_id":"some-group-id-here"}} | 07:17 |
| pmbraat | This opens _all_ ports, not just 1234 | 07:17 |
| pmbraat | Also: If I display the rule via the webinterface or get it from the CLI the rule says that remote_ip_prefix is 0.0.0.0/0 and port is 1234. This is not the effect I see though. All ports are actually opened | 07:20 |
| *** ministry is now known as __ministry | 08:23 | |
| pmbraat | What I mentioned above happens in the Ussuri release | 09:34 |
| frickler | pmbraat: this sounds like a bug in Neutron, but we'll likely need more information in order to be sure. best create a bug report at https://bugs.launchpad.net/neutron | 10:01 |
| pmbraat | frickler: I'm not familiar with Neutron. That's just the networking part of OpenStack? | 10:07 |
| pmbraat | The issue is present if you create the rule through the CLI as well: openstack security group rule create --protocol tcp --dst-port 1234:1234 --remote-ip "" --ingress some-group-id | 10:08 |
| frickler | pmbraat: at least I can not easily reproduce this on my deployment. so proceeding via a bug report would seem to be the best way forward | 10:27 |
| frickler | and neutron is the networking part of openstack, yes | 10:27 |
| *** ministry is now known as __ministry | 15:02 | |
| *** ralonsoh is now known as ralonsoh_afk | 16:56 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!