** Changed in: neutron
Status: Fix Committed => Fix Released
** Changed in: neutron
Milestone: None => juno-1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1301838
Title:
SG rule should not allow an ICMP Policy when icmp-code alone is
provided.
Status in OpenStack Neutron (virtual network service):
Fix Released
Bug description:
When we add a Security Group ICMP rule with icmp-type/code, the rule
gets added properly and it translates to an appropriate firewall
policy.
It was noticed that when adding a security group rule, without
providing the icmp-type (port-range-min) and only providing the icmp-
code (port-range-max) no error is reported, but there is a mismatch
with the iptables rule (a generic icmp policy gets added)
Example:
neutron --debug security-group-rule-create
4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress
--ethertype ipv4 --port-range-max 4
translates to a iptables rule like
-A neutron-openvswi-i49e920d5-c -p icmp -j RETURN
The Security Group rules listing in Horizon/neutron-client display the icmp
rule with port-range as None-<icmp-code>.
This could be misleading and is inconsistent.
It would be good if validation is done on the input to check that
"--port-range-max" is passed when "--port-range-min" is provided so that SG
Group rules are consistent with the iptable rules that are added.
Please note: iptables does not allow us to add an icmp rule
when an icmp-type is not provided and only icmp-code is provided.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1301838/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
