← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1816955] [NEW] [Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when source/destination port is specified which should not be allowed

 

You have been subscribed to a public bug:

firewall group  rule with protocol: icmp, source/destination port, and
action any

it throws the following error, 
nicira@utu1604template:/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/v2$ openstack firewall group rule create --protocol icmp --source-port 25 --name xy
Source, destination port are not allowed when protocol is set to ICMP.
Neutron server returns request_ids: ['req-09cc6a16-7215-45ce-89c8-3226bfd4ca64']


but when user created a firewall group rule with protocol: tcp and --source-port:23

nnicira@utu1604template:~/devstack$ openstack firewall group rule create --protocol tcp --source-port 23 --name bg-rl
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| Action                 | deny                                 |
| Description            |                                      |
| Destination IP Address | None                                 |
| Destination Port       | None                                 |
| Enabled                | True                                 |
| ID                     | 79f8c59e-38bc-4b45-afff-fe963df4080d |
| IP Version             | 4                                    |
| Name                   | bg-rl                                |
| Project                | 7e5ec032563948eeb3f443c9ca258f71     |
| Protocol               | tcp                                  |
| Shared                 | False                                |
| Source IP Address      | None                                 |
| Source Port            | 23                                   |
| firewall_policy_id     | None                                 |
| project_id             | 7e5ec032563948eeb3f443c9ca258f71     |
+------------------------+--------------------------------------+

and updated it with protocol icmp it allows.

nicira@utu1604template:~/devstack$ openstack firewall group rule set --protocol icmp bg-rl
nicira@utu1604template:~/devstack$ openstack firewall group rule show bg-rl
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| Action                 | deny                                 |
| Description            |                                      |
| Destination IP Address | None                                 |
| Destination Port       | None                                 |
| Enabled                | True                                 |
| ID                     | 79f8c59e-38bc-4b45-afff-fe963df4080d |
| IP Version             | 4                                    |
| Name                   | bg-rl                                |
| Project                | 7e5ec032563948eeb3f443c9ca258f71     |
| Protocol               | icmp                                 |
| Shared                 | False                                |
| Source IP Address      | None                                 |
| Source Port            | 23                                   |
| firewall_policy_id     | None                                 |
| project_id             | 7e5ec032563948eeb3f443c9ca258f71     |
+------------------------+--------------------------------------+


when icmp + port is not allowed this should be validated while updating rule.

There should be a validation needed while updating firewall rules to
check if port is specified and the protocol is icmp.


The traces are here,

^[[00;36mINFO neutron.wsgi [^[[01;36mNone req-86f01b1f-f413-4aa4-82d2-74d03ec57e85 ^[[00;36madmin admin^[[00;36m] ^[[01;35m^[[00;36m10.144.139.12 "GET /v2.0/fwaas/firewall_rules?name=bg-rl HTTP/1.1" status: 200  len: 624 time: 0.0692658^[[00m^[[00m
^[[00;32mDEBUG neutron.api.v2.base [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mRequest body: {u'firewall_rule': {u'protocol': u'icmp'}}^[[00m ^[[00;33m{{(pid=28763) prepare_request_body /opt/stack/neutron/neutron/api/v2/base.py:716}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'fields': ['firewall_policy_id', 'id', 'shared', 'project_id', 'tenant_id']}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method update_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'firewall_rule': {u'firewall_rule': {u'protocol': u'icmp'}}}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_policies called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>,) {'filters': {'tenant_id': [u'7e5ec032563948eeb3f443c9ca258f71'], 'firewall_rules': [u'79f8c59e-38bc-4b45-afff-fe963df4080d']}}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, after_update^[[00m ^[[00;33m{{(pid=28763) _notify_loop /usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m
^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, before_response^[[00m ^[[00;33m{{(pid=28763) _notify_loop /usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
[Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when source/destination port is specified which should not be allowed 
https://bugs.launchpad.net/bugs/1816955
You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron.