yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77136
[Bug 1816955] [NEW] [Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when source/destination port is specified which should not be allowed
You have been subscribed to a public bug:
firewall group rule with protocol: icmp, source/destination port, and
action any
it throws the following error,
nicira@utu1604template:/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/v2$ openstack firewall group rule create --protocol icmp --source-port 25 --name xy
Source, destination port are not allowed when protocol is set to ICMP.
Neutron server returns request_ids: ['req-09cc6a16-7215-45ce-89c8-3226bfd4ca64']
but when user created a firewall group rule with protocol: tcp and --source-port:23
nnicira@utu1604template:~/devstack$ openstack firewall group rule create --protocol tcp --source-port 23 --name bg-rl
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | 79f8c59e-38bc-4b45-afff-fe963df4080d |
| IP Version | 4 |
| Name | bg-rl |
| Project | 7e5ec032563948eeb3f443c9ca258f71 |
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | 23 |
| firewall_policy_id | None |
| project_id | 7e5ec032563948eeb3f443c9ca258f71 |
+------------------------+--------------------------------------+
and updated it with protocol icmp it allows.
nicira@utu1604template:~/devstack$ openstack firewall group rule set --protocol icmp bg-rl
nicira@utu1604template:~/devstack$ openstack firewall group rule show bg-rl
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | 79f8c59e-38bc-4b45-afff-fe963df4080d |
| IP Version | 4 |
| Name | bg-rl |
| Project | 7e5ec032563948eeb3f443c9ca258f71 |
| Protocol | icmp |
| Shared | False |
| Source IP Address | None |
| Source Port | 23 |
| firewall_policy_id | None |
| project_id | 7e5ec032563948eeb3f443c9ca258f71 |
+------------------------+--------------------------------------+
when icmp + port is not allowed this should be validated while updating rule.
There should be a validation needed while updating firewall rules to
check if port is specified and the protocol is icmp.
The traces are here,
^[[00;36mINFO neutron.wsgi [^[[01;36mNone req-86f01b1f-f413-4aa4-82d2-74d03ec57e85 ^[[00;36madmin admin^[[00;36m] ^[[01;35m^[[00;36m10.144.139.12 "GET /v2.0/fwaas/firewall_rules?name=bg-rl HTTP/1.1" status: 200 len: 624 time: 0.0692658^[[00m^[[00m
^[[00;32mDEBUG neutron.api.v2.base [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mRequest body: {u'firewall_rule': {u'protocol': u'icmp'}}^[[00m ^[[00;33m{{(pid=28763) prepare_request_body /opt/stack/neutron/neutron/api/v2/base.py:716}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'fields': ['firewall_policy_id', 'id', 'shared', 'project_id', 'tenant_id']}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method update_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'firewall_rule': {u'firewall_rule': {u'protocol': u'icmp'}}}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_policies called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>,) {'filters': {'tenant_id': [u'7e5ec032563948eeb3f443c9ca258f71'], 'firewall_rules': [u'79f8c59e-38bc-4b45-afff-fe963df4080d']}}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, after_update^[[00m ^[[00;33m{{(pid=28763) _notify_loop /usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m
^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, before_response^[[00m ^[[00;33m{{(pid=28763) _notify_loop /usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m
** Affects: neutron
Importance: Undecided
Status: New
--
[Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when source/destination port is specified which should not be allowed
https://bugs.launchpad.net/bugs/1816955
You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron.