Open Stack

Thanks Kevin. In that case I've tagged it as a security hardening
opportunity (removes a foot-cannon), and switched the advisory task to
won't-fix.

** Information type changed from Public Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1382562

Title:
  security groups remote_group fails with CIDR in address pairs

Status in OpenStack Neutron (virtual network service):
  In Progress
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Add a CIDR to allowed address pairs of a host. RPC calls from the
  agents will run into this issue now when retrieving the security group
  members' IPs. I haven't confirmed because I came across this working
  on other code, but I think this may stop all members of the security
  groups referencing that group from getting their rules over the RPC
  channel.

  
    File "neutron/api/rpc/handlers/securitygroups_rpc.py", line 75, in security_group_info_for_devices
      return self.plugin.security_group_info_for_ports(context, ports)
    File "neutron/db/securitygroups_rpc_base.py", line 202, in security_group_info_for_ports
      return self._get_security_group_member_ips(context, sg_info)
    File "neutron/db/securitygroups_rpc_base.py", line 209, in _get_security_group_member_ips
      ethertype = 'IPv%d' % netaddr.IPAddress(ip).version
    File "/home/administrator/code/neutron/.tox/py27/local/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 281, in __init__
      % self.__class__.__name__)
  ValueError: IPAddress() does not support netmasks or subnet prefixes! See documentation for details.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1382562/+subscriptions