Handle undefined protocol field in security group rules correctly

Prevent AttributeError when protocol field is None and skip processing of the rule instead. Closes-Bug: #2086768 Change-Id: I35e96fdd2c28a005811d6fdedb570ccc65e30e0a (cherry picked from commit 430854c)
stackhpc · Nov 11, 2024 · efe3ee8 · efe3ee8
1 parent 5a039fc
commit efe3ee8
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/octavia/network/drivers/neutron/allowed_address_pairs.py b/octavia/network/drivers/neutron/allowed_address_pairs.py
@@ -194,12 +194,13 @@ def _update_security_group_rules(self, load_balancer, sec_grp_id):
             # Don't remove egress rules and don't confuse other protocols with
             # None ports with the egress rules.  VRRP uses protocol 51 and 112
             if (rule.get('direction') == 'egress' or
-                    rule.get('protocol').upper() not in
+                    rule.get('protocol') is None or
+                    rule['protocol'].upper() not in
                     [constants.PROTOCOL_TCP, constants.PROTOCOL_UDP,
                      lib_consts.PROTOCOL_SCTP]):
                 continue
             old_ports.append((rule.get('port_range_max'),
-                              rule.get('protocol').lower(),
+                              rule['protocol'].lower(),
                               rule.get('remote_ip_prefix')))
 
         add_ports = set(updated_ports) - set(old_ports)

diff --git a/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py b/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py
@@ -1071,7 +1071,8 @@ def test_update_vip(self):
         fake_rules = [
             {'id': 'rule-80', 'port_range_max': 80, 'protocol': 'tcp',
              'remote_ip_prefix': '10.0.101.0/24'},
-            {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'}
+            {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'},
+            {'id': 'rule-None', 'port_range_max': 22},
         ]
         list_rules = self.driver.network_proxy.security_group_rules
         list_rules.return_value = fake_rules

diff --git a/.../notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml b/.../notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed potential AttributeError during listener update when security group
+    rule had no protocol defined (ie. it was null).