yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #29393
[Bug 1301838] Re: SG rule should not allow an ICMP Policy when icmp-code alone is provided.
** Also affects: neutron/icehouse
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1301838
Title:
SG rule should not allow an ICMP Policy when icmp-code alone is
provided.
Status in OpenStack Neutron (virtual network service):
Fix Released
Status in neutron icehouse series:
New
Bug description:
When we add a Security Group ICMP rule with icmp-type/code, the rule
gets added properly and it translates to an appropriate firewall
policy.
It was noticed that when adding a security group rule, without
providing the icmp-type (port-range-min) and only providing the icmp-
code (port-range-max) no error is reported, but there is a mismatch
with the iptables rule (a generic icmp policy gets added)
Example:
neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4
translates to a iptables rule like
-A neutron-openvswi-i49e920d5-c -p icmp -j RETURN
The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>.
This could be misleading and is inconsistent.
It would be good if validation is done on the input to check that "--port-range-max" is passed when "--port-range-min" is provided so that SG Group rules are consistent with the iptable rules that are added.
Please note: iptables does not allow us to add an icmp rule
when an icmp-type is not provided and only icmp-code is provided.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1301838/+subscriptions
References