[Expired for neutron because there has been no activity for 60 days.]
** Changed in: neutron
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1507846
Title:
Filtering ICMP packet based on ICMP code
Status in neutron:
Expired
Bug description:
(a)Summary : Support for filtering based on ICMP codes is missing in
Openstack firewall.
Further information :
(b)High level description: Currently Openstack firewall rules allow filtering
of ICMP packets.However filtering is done for all ICMP packets. There can be a
possible improvement in the Firewall rules, by introducing filetration of ICMP
packets based on the ICMP packet type/code.
There are various possible ICMP packet types ( for example, Packet type 8
corresponds to ICMP Echo while Packet type 0 is an ICMP Echo Response). It is
possible to provide a more channeled functionality to the user by providing the
support for filteration based on ICMP packets.
(b.1)Pre-conditions: As this is more of a feature improvement than an all
out bug,there are no specific precondition. However, the following requirements
can be mapped to the pre-condition of the bug:
* User wants to create a firewall which allows incoming ICMP pings,
but blocks ICMP ping from the current subnet.
[ Note ]:
(a) This is applicable to all tenants
(b) This feature assumes the requirement that user wants a Node to
accept a ping request and respond to it, but not to send a request out.
(b.2)Step-by-step reproduction steps:
* User creates a firewall rule with ICMP protocol with specific
source/destination IP.
* User creates a firewall rule with specific ports.
* User cannot proceed with the rule which allows his requirement to be
fulfilled. ( allows incoming ICMP ping requests, but blocks outgoing ICMP ping
requests)
(b.3)Expected output: User should be able to create a Firewall rule,
which allows the userś requirement to be fulfilled.
(b.4)Actual output: Such a facility in the firewall rule is not
available.
(b.5)Version:
OpenStack version (Specific stable branch, or git hash if from trunk): Tag ID
: c1310f32fbb6dfa958bb31152ee5b492b177c6cb
Linux distro, kernel.: Ubuntu 14.04
DevStack or other _deployment_ mechanism: devstack
Environment: Neutron with Firewall Extensions, on a single node machine.
However, the above requirement is independent of the environment.
(c)Perceived severity: Medium/Low depending on the importance of Deep
Packet Inspection.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1507846/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
