← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #47977

[Bug 1507846] Re: Filtering ICMP packet based on ICMP code

  Thread PreviousDate PreviousThread Next 
[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1507846

Title:
  Filtering ICMP packet based on ICMP code

Status in neutron:
  Expired

Bug description:
  (a)Summary : Support for filtering based on ICMP codes is missing in Openstack firewall.
  Further information :
  (b)High level description: Currently Openstack firewall rules allow filtering of ICMP packets.However filtering is done for all ICMP packets. There can be a possible improvement in the Firewall rules, by introducing filetration of ICMP packets based on the ICMP packet type/code.
  There are various possible ICMP packet types ( for example, Packet type 8 corresponds to ICMP Echo while Packet type 0 is an ICMP Echo Response). It is possible to provide a more channeled functionality to the user by providing the support for filteration based on ICMP packets.

  (b.1)Pre-conditions:  As this is more of a feature improvement than an all out bug,there are no specific precondition. However, the following requirements can be mapped to the pre-condition of the bug:
         * User wants to create a firewall which allows incoming ICMP pings, but blocks ICMP ping from the current subnet.
         [ Note ]:
         (a) This is applicable to all tenants
         (b) This feature assumes the requirement that user wants a Node to accept a ping request and respond to it, but not to send a request out.

  (b.2)Step-by-step reproduction steps:
         * User creates a firewall rule with  ICMP protocol with specific source/destination IP.
         * User creates a firewall rule with specific ports.
         * User cannot proceed with the rule which allows his requirement to be fulfilled. ( allows incoming ICMP ping requests, but blocks outgoing ICMP ping requests)

  (b.3)Expected output: User should be able to create a Firewall rule,
  which allows the userś requirement to be fulfilled.

  (b.4)Actual output: Such a facility in the firewall rule is not
  available.

  (b.5)Version:
  OpenStack version (Specific stable branch, or git hash if from trunk): Tag ID : c1310f32fbb6dfa958bb31152ee5b492b177c6cb
  Linux distro, kernel.: Ubuntu 14.04
  DevStack or other _deployment_ mechanism: devstack
  Environment: Neutron with Firewall Extensions, on a single node machine. However, the above requirement is independent of the environment.

  (c)Perceived severity: Medium/Low depending on the importance of Deep
  Packet Inspection.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1507846/+subscriptions

References

  Thread PreviousDate PreviousThread Next