yahoo-eng-team team mailing list archive

[Akihiro Motoki <1816955@xxxxxxxxxxxxxxxxxx>]

This is not a CLI bug. This should be fixed in neutron-fwaas.

** Project changed: python-neutronclient => neutron

** Tags added: fwaas

** Changed in: neutron
   Importance: Undecided => Medium

** Changed in: neutron
       Status: New => Confirmed

** Changed in: neutron
   Importance: Medium => Low

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1816955

Title:
  [Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when
  source/destination port is specified which should not be allowed

Status in neutron:
  Confirmed

Bug description:
  firewall group  rule with protocol: icmp, source/destination port, and
  action any

  it throws the following error, 
  nicira@utu1604template:/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/v2$ openstack firewall group rule create --protocol icmp --source-port 25 --name xy
  Source, destination port are not allowed when protocol is set to ICMP.
  Neutron server returns request_ids: ['req-09cc6a16-7215-45ce-89c8-3226bfd4ca64']

  
  but when user created a firewall group rule with protocol: tcp and --source-port:23

  nnicira@utu1604template:~/devstack$ openstack firewall group rule create --protocol tcp --source-port 23 --name bg-rl
  +------------------------+--------------------------------------+
  | Field                  | Value                                |
  +------------------------+--------------------------------------+
  | Action                 | deny                                 |
  | Description            |                                      |
  | Destination IP Address | None                                 |
  | Destination Port       | None                                 |
  | Enabled                | True                                 |
  | ID                     | 79f8c59e-38bc-4b45-afff-fe963df4080d |
  | IP Version             | 4                                    |
  | Name                   | bg-rl                                |
  | Project                | 7e5ec032563948eeb3f443c9ca258f71     |
  | Protocol               | tcp                                  |
  | Shared                 | False                                |
  | Source IP Address      | None                                 |
  | Source Port            | 23                                   |
  | firewall_policy_id     | None                                 |
  | project_id             | 7e5ec032563948eeb3f443c9ca258f71     |
  +------------------------+--------------------------------------+

  and updated it with protocol icmp it allows.

  nicira@utu1604template:~/devstack$ openstack firewall group rule set --protocol icmp bg-rl
  nicira@utu1604template:~/devstack$ openstack firewall group rule show bg-rl
  +------------------------+--------------------------------------+
  | Field                  | Value                                |
  +------------------------+--------------------------------------+
  | Action                 | deny                                 |
  | Description            |                                      |
  | Destination IP Address | None                                 |
  | Destination Port       | None                                 |
  | Enabled                | True                                 |
  | ID                     | 79f8c59e-38bc-4b45-afff-fe963df4080d |
  | IP Version             | 4                                    |
  | Name                   | bg-rl                                |
  | Project                | 7e5ec032563948eeb3f443c9ca258f71     |
  | Protocol               | icmp                                 |
  | Shared                 | False                                |
  | Source IP Address      | None                                 |
  | Source Port            | 23                                   |
  | firewall_policy_id     | None                                 |
  | project_id             | 7e5ec032563948eeb3f443c9ca258f71     |
  +------------------------+--------------------------------------+

  
  when icmp + port is not allowed this should be validated while updating rule.

  There should be a validation needed while updating firewall rules to
  check if port is specified and the protocol is icmp.


  The traces are here,

  ^[[00;36mINFO neutron.wsgi [^[[01;36mNone req-86f01b1f-f413-4aa4-82d2-74d03ec57e85 ^[[00;36madmin admin^[[00;36m] ^[[01;35m^[[00;36m10.144.139.12 "GET /v2.0/fwaas/firewall_rules?name=bg-rl HTTP/1.1" status: 200  len: 624 time: 0.0692658^[[00m^[[00m
  ^[[00;32mDEBUG neutron.api.v2.base [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mRequest body: {u'firewall_rule': {u'protocol': u'icmp'}}^[[00m ^[[00;33m{{(pid=28763) prepare_request_body /opt/stack/neutron/neutron/api/v2/base.py:716}}^[[00m^[[00m
  ^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'fields': ['firewall_policy_id', 'id', 'shared', 'project_id', 'tenant_id']}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
  ^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method update_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'firewall_rule': {u'firewall_rule': {u'protocol': u'icmp'}}}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
  ^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_rule called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
  ^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2 method get_firewall_policies called with arguments (<neutron_lib.context.Context object at 0x7f8ee5ddde10>,) {'filters': {'tenant_id': [u'7e5ec032563948eeb3f443c9ca258f71'], 'firewall_rules': [u'79f8c59e-38bc-4b45-afff-fe963df4080d']}}^[[00m ^[[00;33m{{(pid=28763) wrapper /usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
  ^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, after_update^[[00m ^[[00;33m{{(pid=28763) _notify_loop /usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m
  ^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, before_response^[[00m ^[[00;33m{{(pid=28763) _notify_loop /usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1816955/+subscriptions