Reviewed: https://review.openstack.org/534263 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0efe1aec185365d8bd7a14ec5b812132d0f9e44d Submitter: Zuul Branch: master
commit 0efe1aec185365d8bd7a14ec5b812132d0f9e44d Author: Hunt Xu <[email protected]> Date: Tue Jan 16 19:34:09 2018 +0800 Fix _port_arg for security rules with icmp/ipv6-icmp aliases When a security group rule is created with icmp/ipv6-icmp alias such as protocol number 1(ICMP), 58(ICMPv6) or string icmpv6(legacy name for ipv6-icmp) as its protocol along with ICMP/ICMPv6 message type specified, _port_arg will generate a wrong str for iptables/ip6tables. Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a Closes-Bug: #1743552 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1743552 Title: iptables security group driver failed to apply when rule protocol is icmp/icmpv6 alias Status in neutron: Fix Released Bug description: * Summary When a security group rule is created with protocol number 1, 58 or icmpv6, with port_range_min supplied as icmp-type. Iptables security group driver will fail to apply the rules. * Environment devstack + openvswitch-agent + securitygroup firewall_driver=iptables- hybrid * Step-by-step reproduction steps: 1. Create a network and a subnet 2. boot a VM in the network 3. create a new security group rule as the followings in the SG of the VM's port: - openstack security group rule create --ethertype IPv4 --icmp-type 8 --icmp-code 0 --protocol 1 --ingress <SG_ID> - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol 58 --ingress <SG_ID> - openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol icmpv6 --ingress <SG_ID> 4. check neutron-openvswitch-agent's LOG * Expected output: - SG rules are successfully created and applied on the port without errors Actual output: - SG rules are successfully created - Errors in neutron-openvswitch-agent's LOG about iptables/ip6tables failed to apply - Wrong iptables/ip6tables rule is generated: - "Stderr: iptables-restore v1.6.1: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP" - -I neutron-openvswi-if1905f5e-9 5 -p icmp -m icmp -m multiport --dports 8:0 -j RETURN - -I neutron-openvswi-if1905f5e-9 8 -p ipv6-icmp -m icmp6 -m multiport --dports 128:0 -j RETURN To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1743552/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
