From efe3ee865ecd0f5e875fb0b00d0ecbbf1c8ebc83 Mon Sep 17 00:00:00 2001 From: Tom Weininger Date: Wed, 6 Nov 2024 11:44:04 +0100 Subject: [PATCH] Handle undefined protocol field in security group rules correctly Prevent AttributeError when protocol field is None and skip processing of the rule instead. Closes-Bug: #2086768 Change-Id: I35e96fdd2c28a005811d6fdedb570ccc65e30e0a (cherry picked from commit 430854c1372885c6082393c5449fadf401578634) --- octavia/network/drivers/neutron/allowed_address_pairs.py | 5 +++-- .../network/drivers/neutron/test_allowed_address_pairs.py | 3 ++- ...ecuritygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml | 5 +++++ 3 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml diff --git a/octavia/network/drivers/neutron/allowed_address_pairs.py b/octavia/network/drivers/neutron/allowed_address_pairs.py index 61334da91a..d450ea7635 100644 --- a/octavia/network/drivers/neutron/allowed_address_pairs.py +++ b/octavia/network/drivers/neutron/allowed_address_pairs.py @@ -194,12 +194,13 @@ class AllowedAddressPairsDriver(neutron_base.BaseNeutronDriver): # Don't remove egress rules and don't confuse other protocols with # None ports with the egress rules. VRRP uses protocol 51 and 112 if (rule.get('direction') == 'egress' or - rule.get('protocol').upper() not in + rule.get('protocol') is None or + rule['protocol'].upper() not in [constants.PROTOCOL_TCP, constants.PROTOCOL_UDP, lib_consts.PROTOCOL_SCTP]): continue old_ports.append((rule.get('port_range_max'), - rule.get('protocol').lower(), + rule['protocol'].lower(), rule.get('remote_ip_prefix'))) add_ports = set(updated_ports) - set(old_ports) diff --git a/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py b/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py index 25362a57fc..defdcd7571 100644 --- a/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py +++ b/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py @@ -1071,7 +1071,8 @@ class TestAllowedAddressPairsDriver(base.TestCase): fake_rules = [ {'id': 'rule-80', 'port_range_max': 80, 'protocol': 'tcp', 'remote_ip_prefix': '10.0.101.0/24'}, - {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'} + {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'}, + {'id': 'rule-None', 'port_range_max': 22}, ] list_rules = self.driver.network_proxy.security_group_rules list_rules.return_value = fake_rules diff --git a/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml b/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml new file mode 100644 index 0000000000..9e6cd7f013 --- /dev/null +++ b/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixed potential AttributeError during listener update when security group + rule had no protocol defined (ie. it was null).