yahoo-eng-team team mailing list archive

[Sridhar Gaddam <sridhar.gaddam@xxxxxxxxxxxx>]

Public bug reported:

When we add an Security Group ICMP rule with icmp-type/code, the rule
gets added properly and it translates to an appropriate firewall policy.

It was noticed that when adding a security group rule, without providing the icmp-type and only providing the icmp-code, there is no error.
But the iptables rule that gets added is a generic one.

Example:
neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4

translates to a iptables rule like
-A neutron-openvswi-i49e920d5-c -p icmp -j RETURN

The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>.
This could be misleading as it is inconsistent.
It would be good if validation is done when "--port-range-max" is passed without providing the "--port-range-min" so that SG Group rules are consistent with the iptable rules that are added.

** Affects: neutron
     Importance: Undecided
     Assignee: Sridhar Gaddam (sridhargaddam)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Sridhar Gaddam (sridhargaddam)

** Description changed:

- When we add an Security Group ICMP Policy with icmp-type/code, the
- policy gets added properly and it translates to an appropriate firewall
- policy.
+ When we add an Security Group ICMP rule with icmp-type/code, the rule
+ gets added properly and it translates to an appropriate firewall policy.
  
- It was noticed that when adding a security group policy, without providing the icmp-type and only providing the icmp-code, there is no error. 
- But the iptables rule that gets added is a generic one. 
+ It was noticed that when adding a security group rule, without providing the icmp-type and only providing the icmp-code, there is no error.
+ But the iptables rule that gets added is a generic one.
  
  Example:
  neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4
  
- translates to a iptables rule like 
- -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN 
+ translates to a iptables rule like
+ -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN
  
- The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>. 
- This could be misleading as it is inconsistent. 
+ The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>.
+ This could be misleading as it is inconsistent.
  It would be good if validation is done when "--port-range-max" is passed without providing the "--port-range-min" so that SG Group rules are consistent with the iptable rules that are added.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1301838

Title:
  SG rule should not allow an ICMP Policy when icmp-code alone is
  provided.

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  When we add an Security Group ICMP rule with icmp-type/code, the rule
  gets added properly and it translates to an appropriate firewall
  policy.

  It was noticed that when adding a security group rule, without providing the icmp-type and only providing the icmp-code, there is no error.
  But the iptables rule that gets added is a generic one.

  Example:
  neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4

  translates to a iptables rule like
  -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN

  The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>.
  This could be misleading as it is inconsistent.
  It would be good if validation is done when "--port-range-max" is passed without providing the "--port-range-min" so that SG Group rules are consistent with the iptable rules that are added.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1301838/+subscriptions