On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote: > On 03/03/2014 11:18 AM, Collins, Sean wrote: > > On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote: > >> Currently, only security group rule direction, protocol, ethertype and port > >> range are supported by neutron security group rule data structure. To allow > > > > If I am not mistaken, I believe that when you use the ICMP protocol > > type, you can use the port range specs to limit the type. > > > > https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309 > > > > http://i.imgur.com/3n858Pf.png > > > > I assume we just have to check and see if it applies to ICMPv6? > > I tried using horizon to add an icmp type/code rule, and it didn't work. > > Before: > > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN > > After: > > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN > > I'd assume I'll have the same error with v6. > > I am curious what's actually being done under the hood here now...
Looks like _port_arg just returns an empty array when hte protocol is ICMP? https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328 Called by: https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292 -- Sean M. Collins _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev