← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #40391

[Bug 1507846] [NEW] Filtering ICMP packet based on ICMP code

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Summary : Support for filtering based on ICMP codes is missing in Openstack firewall.
Further information :
        High level description: Currently Openstack firewall rules allow filtering of ICMP packets.However filtering is done for all ICMP packets. There can be a possible improvement in the Firewall rules, by introducing filetration of ICMP packets based on the ICMP packet type/code.
There are various possible ICMP packet types ( for example, Packet type 8 corresponds to ICMP Echo while Packet type 0 is an ICMP Echo Response). It is possible to provide a more channeled functionality to the user by providing the support for filteration based on ICMP packets.

        Pre-conditions:  As this is more of a feature improvement than an all out bug,there are no specific precondition. However, the following requirements can be mapped to the pre-condition of the bug:
       * User wants to create a firewall which allows incoming ICMP pings, but blocks ICMP ping from the current subnet.
       [ Note ]:
       (a) This is applicable to all tenants
       (b) This feature assumes the requirement that user wants a Node to accept a ping request and respond to it, but not to send a request out.

        Step-by-step reproduction steps:
       * User creates a firewall rule with  ICMP protocol with specific source/destination IP.
       * User creates a firewall rule with specific ports.
       * User cannot proceed with the rule which allows his requirement to be fulfilled. ( allows incoming ICMP ping requests, but blocks outgoing ICMP ping requests)

        Expected output: User should be able to create a Firewall rule,
which allows the userś requirement to be fulfilled.

        Actual output: Such a facility in the firewall rule is not
available.

        Version:
            OpenStack version (Specific stable branch, or git hash if from trunk): Tag ID : c1310f32fbb6dfa958bb31152ee5b492b177c6cb
            Linux distro, kernel.: Ubuntu 14.04
            DevStack or other _deployment_ mechanism?
        Environment: Neutron with Firewall Extensions, on a single node machine.
                                 However, the above requirement is independent of the environment.
        Perceived severity: Medium/Low depending on the importance of Deep Packet Inspection.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: fwaas

** Description changed:

-     Summary (Bug title): Support for filtering based on ICMP codes is missing in Openstack firewall.
-     Further information (Bug description):
-         High level description: Currently Openstack firewall rules allow filtering of ICMP packets.However filtering is done for all ICMP packets. There can be a possible improvement in the Firewall rules, by introducing filetration of ICMP packets based on the ICMP packet type/code.
+ Summary : Support for filtering based on ICMP codes is missing in Openstack firewall.
+ Further information :
+         High level description: Currently Openstack firewall rules allow filtering of ICMP packets.However filtering is done for all ICMP packets. There can be a possible improvement in the Firewall rules, by introducing filetration of ICMP packets based on the ICMP packet type/code.
  There are various possible ICMP packet types ( for example, Packet type 8 corresponds to ICMP Echo while Packet type 0 is an ICMP Echo Response). It is possible to provide a more channeled functionality to the user by providing the support for filteration based on ICMP packets.
  
-         Pre-conditions:  As this is more of a feature improvement than an all out bug,there are no specific precondition. However, the following requirements can be mapped to the pre-condition of the bug:
-        * User wants to create a firewall which allows incoming ICMP pings, but blocks ICMP ping from the current subnet.
-        [ Note ]:
-        (a) This is applicable to all tenants
-        (b) This feature assumes the requirement that user wants a Node to accept a ping request and respond to it, but not to send a request out.
-     
-         Step-by-step reproduction steps: 
-        * User creates a firewall rule with  ICMP protocol with specific source/destination IP.
-        * User creates a firewall rule with specific ports.
-        * User cannot proceed with the rule which allows his requirement to be fulfilled. ( allows incoming ICMP ping requests, but blocks outgoing ICMP ping requests)
+         Pre-conditions:  As this is more of a feature improvement than an all out bug,there are no specific precondition. However, the following requirements can be mapped to the pre-condition of the bug:
+        * User wants to create a firewall which allows incoming ICMP pings, but blocks ICMP ping from the current subnet.
+        [ Note ]:
+        (a) This is applicable to all tenants
+        (b) This feature assumes the requirement that user wants a Node to accept a ping request and respond to it, but not to send a request out.
  
-         Expected output: User should be able to create a Firewall rule,
+         Step-by-step reproduction steps:
+        * User creates a firewall rule with  ICMP protocol with specific source/destination IP.
+        * User creates a firewall rule with specific ports.
+        * User cannot proceed with the rule which allows his requirement to be fulfilled. ( allows incoming ICMP ping requests, but blocks outgoing ICMP ping requests)
+ 
+         Expected output: User should be able to create a Firewall rule,
  which allows the userś requirement to be fulfilled.
  
-         Actual output: Such a facility in the firewall rule is not
+         Actual output: Such a facility in the firewall rule is not
  available.
  
-         Version:
-             OpenStack version (Specific stable branch, or git hash if from trunk): Tag ID : c1310f32fbb6dfa958bb31152ee5b492b177c6cb
-             Linux distro, kernel.: Ubuntu 14.04
-             DevStack or other _deployment_ mechanism?
-         Environment: Neutron with Firewall Extensions, on a single node machine.
-                                  However, the above requirement is independent of the environment.
-         Perceived severity: Medium/Low depending on the importance of Deep Packet Inspection 
-     Tags (Affected component): fwaas
-     Attachments: NA
+         Version:
+             OpenStack version (Specific stable branch, or git hash if from trunk): Tag ID : c1310f32fbb6dfa958bb31152ee5b492b177c6cb
+             Linux distro, kernel.: Ubuntu 14.04
+             DevStack or other _deployment_ mechanism?
+         Environment: Neutron with Firewall Extensions, on a single node machine.
+                                  However, the above requirement is independent of the environment.
+         Perceived severity: Medium/Low depending on the importance of Deep Packet Inspection.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1507846

Title:
  Filtering ICMP packet based on ICMP code

Status in neutron:
  New

Bug description:
  Summary : Support for filtering based on ICMP codes is missing in Openstack firewall.
  Further information :
          High level description: Currently Openstack firewall rules allow filtering of ICMP packets.However filtering is done for all ICMP packets. There can be a possible improvement in the Firewall rules, by introducing filetration of ICMP packets based on the ICMP packet type/code.
  There are various possible ICMP packet types ( for example, Packet type 8 corresponds to ICMP Echo while Packet type 0 is an ICMP Echo Response). It is possible to provide a more channeled functionality to the user by providing the support for filteration based on ICMP packets.

          Pre-conditions:  As this is more of a feature improvement than an all out bug,there are no specific precondition. However, the following requirements can be mapped to the pre-condition of the bug:
         * User wants to create a firewall which allows incoming ICMP pings, but blocks ICMP ping from the current subnet.
         [ Note ]:
         (a) This is applicable to all tenants
         (b) This feature assumes the requirement that user wants a Node to accept a ping request and respond to it, but not to send a request out.

          Step-by-step reproduction steps:
         * User creates a firewall rule with  ICMP protocol with specific source/destination IP.
         * User creates a firewall rule with specific ports.
         * User cannot proceed with the rule which allows his requirement to be fulfilled. ( allows incoming ICMP ping requests, but blocks outgoing ICMP ping requests)

          Expected output: User should be able to create a Firewall
  rule, which allows the userś requirement to be fulfilled.

          Actual output: Such a facility in the firewall rule is not
  available.

          Version:
              OpenStack version (Specific stable branch, or git hash if from trunk): Tag ID : c1310f32fbb6dfa958bb31152ee5b492b177c6cb
              Linux distro, kernel.: Ubuntu 14.04
              DevStack or other _deployment_ mechanism?
          Environment: Neutron with Firewall Extensions, on a single node machine.
                                   However, the above requirement is independent of the environment.
          Perceived severity: Medium/Low depending on the importance of Deep Packet Inspection.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1507846/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next