[Yahoo-eng-team] [Bug 1799904] [NEW] ICMPv6 is not an available protocol when creating Firewall-Rule

Thu, 25 Oct 2018 01:56:47 -0700 

Public bug reported:

When creating IPv6 firewall rule, the network protocol that can be
selected is ICMP TCP UDP or null,but in fact, ICMPv6 is the message
control protocol we actually need for the firewall rule whose ip-version
= 6.

I tried to create a firewall rule whose "ip-version=6 ,protocol = ICMP".
After the creation,in the ip6tables of the router, the effective rules are as 
follows:

-A neutron-l3-agent-ov6a99ac434 -p icmp -j ACCEPT
-A neutron-l3-agent-iv6a99ac434 -p icmp -j ACCEPT

In ip6tables, ICMP cannot control the ipv6 data packet, which means that
the above two rules are invalid.

In summary: 1) I think we should list ICMPv6 as an optional protocol when 
creating firewall rules.
            
            2) Or when creating firewall rule whose "ip-version=6 ,protocol = 
ICMP", we should consider that the "ICMP" 
            specified here refers to ICMPv6.

** Affects: neutron
     Importance: Undecided
     Assignee: Yue Qu (bruceq-)
         Status: New


** Tags: ipv6

** Changed in: neutron
     Assignee: (unassigned) => Yue Qu (bruceq-)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1799904

Title:
  ICMPv6 is not an available protocol when creating Firewall-Rule

Status in neutron:
  New

Bug description:
  When creating IPv6 firewall rule, the network protocol that can be
  selected is ICMP TCP UDP or null,but in fact, ICMPv6 is the message
  control protocol we actually need for the firewall rule whose ip-
  version = 6.

  I tried to create a firewall rule whose "ip-version=6 ,protocol = ICMP".
  After the creation,in the ip6tables of the router, the effective rules are as 
follows:

  -A neutron-l3-agent-ov6a99ac434 -p icmp -j ACCEPT
  -A neutron-l3-agent-iv6a99ac434 -p icmp -j ACCEPT

  In ip6tables, ICMP cannot control the ipv6 data packet, which means
  that the above two rules are invalid.

  In summary: 1) I think we should list ICMPv6 as an optional protocol when 
creating firewall rules.
              
              2) Or when creating firewall rule whose "ip-version=6 ,protocol = 
ICMP", we should consider that the "ICMP" 
              specified here refers to ICMPv6.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1799904/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to