yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #15406
[Bug 1327955] [NEW] fwaas:Error not thrown when setting protocol as icmp and destination /source port while creating firewall rule
Public bug reported:
Error not thrown when setting protocol as icmp and destination /source
port while creating firewall rule
Steps to Reproduce:
create firewall rule with protocol as icmp and destination port as 20
Actual Results:
It is creating firewal rule with protocol as icmp and destination port as 20 in cli. However since icmp protocol doesn't use source/destination port , It was taken only as ICMP in the output of iptable-save in router
Expected Results:
the cli should throw error
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-iv426dd1dbb
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-ov426dd1dbb
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
-A neutron-l3-agent-fwaas-defau -j DROP
-A neutron-l3-agent-iv426dd1dbb -m state --state INVALID -j DROP
-A neutron-l3-agent-iv426dd1dbb -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv426dd1dbb -p icmp -j DROP------------------------------------------------------------------------->taken as only icmp
-A neutron-l3-agent-ov426dd1dbb -m state --state INVALID -j DROP
-A neutron-l3-agent-ov426dd1dbb -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov426dd1dbb -p icmp -j DROP
root@IH-HL-OSC:~# fwrc --name r9 --protocol icmp --destination-port 20 --action deny
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | deny |
| description | |
| destination_ip_address | |
| destination_port | 20 |-------------------------------------------------> port 20 also taken
| enabled | True |
| firewall_policy_id | |
| id | 29bca0ca-17c8-4fc8-a816-c14ce2824bed |
| ip_version | 4 |
| name | r9 |
| position | |
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | 8aac6cceec774dec8821d76e0c1bdd8c |
+------------------------+--------------------------------------+
** Affects: neutron
Importance: Undecided
Status: New
** Tags: fwaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1327955
Title:
fwaas:Error not thrown when setting protocol as icmp and destination
/source port while creating firewall rule
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Error not thrown when setting protocol as icmp and destination /source
port while creating firewall rule
Steps to Reproduce:
create firewall rule with protocol as icmp and destination port as 20
Actual Results:
It is creating firewal rule with protocol as icmp and destination port as 20 in cli. However since icmp protocol doesn't use source/destination port , It was taken only as ICMP in the output of iptable-save in router
Expected Results:
the cli should throw error
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-iv426dd1dbb
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-ov426dd1dbb
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
-A neutron-l3-agent-fwaas-defau -j DROP
-A neutron-l3-agent-iv426dd1dbb -m state --state INVALID -j DROP
-A neutron-l3-agent-iv426dd1dbb -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv426dd1dbb -p icmp -j DROP------------------------------------------------------------------------->taken as only icmp
-A neutron-l3-agent-ov426dd1dbb -m state --state INVALID -j DROP
-A neutron-l3-agent-ov426dd1dbb -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov426dd1dbb -p icmp -j DROP
root@IH-HL-OSC:~# fwrc --name r9 --protocol icmp --destination-port 20 --action deny
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | deny |
| description | |
| destination_ip_address | |
| destination_port | 20 |-------------------------------------------------> port 20 also taken
| enabled | True |
| firewall_policy_id | |
| id | 29bca0ca-17c8-4fc8-a816-c14ce2824bed |
| ip_version | 4 |
| name | r9 |
| position | |
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | 8aac6cceec774dec8821d76e0c1bdd8c |
+------------------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1327955/+subscriptions
Follow ups
References
