← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #70400

[Bug 1743552] [NEW] iptables security group driver failed to apply when rule protocol is icmp/icmpv6 alias

  Thread PreviousDate PreviousThread Next 
Public bug reported:

* Summary
When a security group rule is created with protocol number 1, 58 or icmpv6, with port_range_min supplied as icmp-type. Iptables security group driver will fail to apply the rules.

* Environment

devstack + openvswitch-agent + securitygroup firewall_driver=iptables-
hybrid

* Step-by-step reproduction steps:
  1. Create a network and a subnet
  2. boot a VM in the network
  3. create a new security group rule as the followings in the SG of the VM's port:
    - openstack security group rule create --ethertype IPv4 --icmp-type 8 --icmp-code 0 --protocol 1 --ingress <SG_ID>
    - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol 58 --ingress <SG_ID>
    - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol icmpv6 --ingress <SG_ID>
  4. check neutron-openvswitch-agent's LOG

* Expected output:
  - SG rules are successfully created and applied on the port without errors

 Actual output:
  - SG rules are successfully created
  - Errors in neutron-openvswitch-agent's LOG about iptables/ip6tables failed to apply
  - Wrong iptables/ip6tables rule is generated:
    - "Stderr: iptables-restore v1.6.1: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"
    - -I neutron-openvswi-if1905f5e-9 5 -p icmp -m icmp -m multiport --dports 8:0 -j RETURN
    - -I neutron-openvswi-if1905f5e-9 8 -p ipv6-icmp -m icmp6 -m multiport --dports 128:0 -j RETURN

** Affects: neutron
     Importance: Undecided
     Assignee: Hunt Xu (huntxu)
         Status: In Progress


** Tags: sg-fw

** Changed in: neutron
     Assignee: (unassigned) => Hunt Xu (huntxu)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1743552

Title:
  iptables security group driver failed to apply when rule protocol is
  icmp/icmpv6 alias

Status in neutron:
  In Progress

Bug description:
  * Summary
  When a security group rule is created with protocol number 1, 58 or icmpv6, with port_range_min supplied as icmp-type. Iptables security group driver will fail to apply the rules.

  * Environment

  devstack + openvswitch-agent + securitygroup firewall_driver=iptables-
  hybrid

  * Step-by-step reproduction steps:
    1. Create a network and a subnet
    2. boot a VM in the network
    3. create a new security group rule as the followings in the SG of the VM's port:
      - openstack security group rule create --ethertype IPv4 --icmp-type 8 --icmp-code 0 --protocol 1 --ingress <SG_ID>
      - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol 58 --ingress <SG_ID>
      - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol icmpv6 --ingress <SG_ID>
    4. check neutron-openvswitch-agent's LOG

  * Expected output:
    - SG rules are successfully created and applied on the port without errors

   Actual output:
    - SG rules are successfully created
    - Errors in neutron-openvswitch-agent's LOG about iptables/ip6tables failed to apply
    - Wrong iptables/ip6tables rule is generated:
      - "Stderr: iptables-restore v1.6.1: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"
      - -I neutron-openvswi-if1905f5e-9 5 -p icmp -m icmp -m multiport --dports 8:0 -j RETURN
      - -I neutron-openvswi-if1905f5e-9 8 -p ipv6-icmp -m icmp6 -m multiport --dports 128:0 -j RETURN

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1743552/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next