4350ed3c35
After taking a closer look at bug 1818385, I found a couple of follow-on things to fix in the security group code. First, there are very few protocols that accept ports, especially via iptables. For this reason I think it's acceptable that the API rejects them as invalid. Second, UDPlite has some interesting support in iptables. It does not support using --dport directly, but does using '-m multiport --dports 123', and also supports port ranges using '-m multiport --dports 123:124'. Added code for this special case. Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4 Closes-Bug: #1818385
12 lines
552 B
YAML
12 lines
552 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
The Neutron API now enforces that ports are a valid option for
|
|
security group rules based on the protocol given, instead of
|
|
relying on the backend firewall driver to do this enforcement,
|
|
typically silently ignoring the port option in the rule. The
|
|
valid set of whitelisted protocols that support ports are TCP,
|
|
UDP, UDPLITE, SCTP and DCCP. Ports used with other protocols
|
|
will now generate an HTTP 400 error. For more information, see
|
|
bug `1818385 <https://bugs.launchpad.net/neutron/+bug/1818385>`_.
|