yahoo-eng-team team mailing list archive

[Alan Pevec <1301838@xxxxxxxxxxxxxxxxxx>]

** Also affects: neutron/icehouse
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1301838

Title:
  SG rule should not allow an ICMP Policy when icmp-code alone is
  provided.

Status in OpenStack Neutron (virtual network service):
  Fix Released
Status in neutron icehouse series:
  New

Bug description:
  When we add a Security Group ICMP rule with icmp-type/code, the rule
  gets added properly and it translates to an appropriate firewall
  policy.

  It was noticed that when adding a security group rule, without
  providing the icmp-type (port-range-min) and only providing the icmp-
  code (port-range-max) no error is reported, but there is a mismatch
  with the iptables rule (a generic icmp policy gets added)

  Example:
  neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4

  translates to a iptables rule like
  -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN

  The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>.
  This could be misleading and is inconsistent.
  It would be good if validation is done on the input to check that "--port-range-max" is passed when "--port-range-min" is provided so that SG Group rules are consistent with the iptable rules that are added.

  Please note: iptables does not allow us to add an icmp rule 
  when an icmp-type is not provided and only icmp-code is provided.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1301838/+subscriptions