OpenStack Compute (nova)

iptables-restore: invalid portrange specified

Bug #898372 reported by Everett Toews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Unassigned

Bug Description

Version: trunk (essex)

1. Start a VM in the default security group.
2. Create a security group rule that goes from a high to low port from the CLIs or the Dashboard. e.g.

ubuntu@i-00000052:~/devstack$ euca-authorize -P tcp -p 80-60 default
GROUP default
PERMISSION default ALLOWS tcp 80 60 FROM CIDR 0.0.0.0/0

ubuntu@i-00000052:~/devstack$ nova secgroup-add-rule default tcp 200 100 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 200 | 100 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+

ubuntu@i-00000052:~/devstack$ euca-describe-groups
GROUP 2 default default
PERMISSION 2 default ALLOWS tcp 80 60 FROM CIDR 0.0.0.0/0
PERMISSION 2 default ALLOWS tcp 200 100 FROM CIDR 0.0.0.0/0

3. Start another VM in the default security group.
4. nova-compute reports the following error.

2011-11-30 19:14:22,430 ERROR nova.exception [-] Uncaught exception
(nova.exception): TRACE: Traceback (most recent call last):
(nova.exception): TRACE: File "/opt/stack/nova/nova/exception.py", line 100, in wrapped
(nova.exception): TRACE: return f(*args, **kw)
(nova.exception): TRACE: File "/opt/stack/nova/nova/compute/manager.py", line 216, in refresh_security_group_rules
(nova.exception): TRACE: return self.driver.refresh_security_group_rules(security_group_id)
(nova.exception): TRACE: File "/opt/stack/nova/nova/virt/libvirt/connection.py", line 1524, in refresh_security_group_rules
(nova.exception): TRACE: self.firewall_driver.refresh_security_group_rules(security_group_id)
(nova.exception): TRACE: File "/opt/stack/nova/nova/virt/libvirt/firewall.py", line 727, in refresh_security_group_rules
(nova.exception): TRACE: self.iptables.apply()
(nova.exception): TRACE: File "/opt/stack/nova/nova/utils.py", line 686, in inner
(nova.exception): TRACE: retval = f(*args, **kwargs)
(nova.exception): TRACE: File "/opt/stack/nova/nova/network/linux_net.py", line 315, in apply
(nova.exception): TRACE: attempts=5)
(nova.exception): TRACE: File "/opt/stack/nova/nova/network/linux_net.py", line 745, in _execute
(nova.exception): TRACE: return utils.execute(*cmd, **kwargs)
(nova.exception): TRACE: File "/opt/stack/nova/nova/utils.py", line 189, in execute
(nova.exception): TRACE: cmd=' '.join(cmd))
(nova.exception): TRACE: ProcessExecutionError: Unexpected error while running command.
(nova.exception): TRACE: Command: sudo iptables-restore
(nova.exception): TRACE: Exit code: 2
(nova.exception): TRACE: Stdout: ''
(nova.exception): TRACE: Stderr: "iptables-restore v1.4.10: invalid portrange specified\nError occurred at line: 35\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"

iptables-restore does not like the high to low port range.

Obviously the workaround is to just create low to high port ranges but creating high to low port ranges should be explicitly denied by nova.

Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → Medium
status: New → Confirmed
Nathanael Burton (mathrock)
Changed in nova:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.