[Yahoo-eng-team] [Bug 1799904] Re: ICMPv6 is not an available protocol when creating Firewall-Rule

Thu, 29 Nov 2018 14:47:27 -0800 

Reviewed:  https://review.openstack.org/618388
Committed: 
https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=fa48d16d694269b6b4245b90454448f8e9895ed8
Submitter: Zuul
Branch:    master

commit fa48d16d694269b6b4245b90454448f8e9895ed8
Author: quyue <[email protected]>
Date:   Fri Nov 16 10:35:04 2018 +0800

    ICMPv6 is not an available protocol when creating firewall rule
    
    When creating IPv6 firewall rule, the network protocol that can be
    selected is ICMP TCP UDP or null.
    But in fact, ICMPv6 is the message control protocol we actually need
    for the firewall rule whose ip-version = 6.
    
    This patch fixes this bug with the following logic:
    When creating firewall rule whose "ip-version = 6, protocol = ipv6-icmp"
    , we should consider that the "icmp" refers to "ipv6-icmp".
    
    Closes-Bug: #1799904
    Change-Id: I27cff5ba9986f30fa4c7ddb12db920300edd521b


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1799904

Title:
  ICMPv6 is not an available protocol when creating Firewall-Rule

Status in neutron:
  Fix Released

Bug description:
  When creating IPv6 firewall rule, the network protocol that can be
  selected is ICMP TCP UDP or null,but in fact, ICMPv6 is the message
  control protocol we actually need for the firewall rule whose ip-
  version = 6.

  I tried to create a firewall rule whose "ip-version=6 ,protocol = ICMP".
  After the creation,in the ip6tables of the router, the effective rules are as 
follows:

  -A neutron-l3-agent-ov6a99ac434 -p icmp -j ACCEPT
  -A neutron-l3-agent-iv6a99ac434 -p icmp -j ACCEPT

  In ip6tables, ICMP cannot control the ipv6 data packet, which means
  that the above two rules are invalid.

  In summary: 1) I think we should list ICMPv6 as an optional protocol when 
creating firewall rules.
              
              2) Or when creating firewall rule whose "ip-version=6 ,protocol = 
ICMP", we should consider that the "ICMP" 
              specified here refers to ICMPv6.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1799904/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to