Hi! We have a scenario tempest test case (test_cross_tenant_traffic) which assumes that an instance should be able to receive icmp echo responses even when no ingress security rules are defined for that instance.
I don't take a stand on iptables-based security group implementation details (this was discussed e.g. here: http://lists.openstack.org/pipermail/openstack-dev/2015-April/060989.html ) but rather on tempest logic. Do we have some requirement(s) that incoming packets with ESTABLISHED state should be accepted regardless of security rules? If so, does it really concern also ICMP packets? And if there are no such requirements, should we e.g. parameterize the test case so that it will be skipped when no iptables-based firewall drivers are used? -Viktor __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
