[Yahoo-eng-team] [Bug 1816955] [NEW] [Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when source/destination port is specified which should not be allowed

Thu, 21 Feb 2019 05:55:22 -0800 

You have been subscribed to a public bug:

firewall group  rule with protocol: icmp, source/destination port, and
action any

it throws the following error, 
nicira@utu1604template:/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/v2$ 
openstack firewall group rule create --protocol icmp --source-port 25 --name xy
Source, destination port are not allowed when protocol is set to ICMP.
Neutron server returns request_ids: ['req-09cc6a16-7215-45ce-89c8-3226bfd4ca64']


but when user created a firewall group rule with protocol: tcp and 
--source-port:23

nnicira@utu1604template:~/devstack$ openstack firewall group rule create 
--protocol tcp --source-port 23 --name bg-rl
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| Action                 | deny                                 |
| Description            |                                      |
| Destination IP Address | None                                 |
| Destination Port       | None                                 |
| Enabled                | True                                 |
| ID                     | 79f8c59e-38bc-4b45-afff-fe963df4080d |
| IP Version             | 4                                    |
| Name                   | bg-rl                                |
| Project                | 7e5ec032563948eeb3f443c9ca258f71     |
| Protocol               | tcp                                  |
| Shared                 | False                                |
| Source IP Address      | None                                 |
| Source Port            | 23                                   |
| firewall_policy_id     | None                                 |
| project_id             | 7e5ec032563948eeb3f443c9ca258f71     |
+------------------------+--------------------------------------+

and updated it with protocol icmp it allows.

nicira@utu1604template:~/devstack$ openstack firewall group rule set --protocol 
icmp bg-rl
nicira@utu1604template:~/devstack$ openstack firewall group rule show bg-rl
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| Action                 | deny                                 |
| Description            |                                      |
| Destination IP Address | None                                 |
| Destination Port       | None                                 |
| Enabled                | True                                 |
| ID                     | 79f8c59e-38bc-4b45-afff-fe963df4080d |
| IP Version             | 4                                    |
| Name                   | bg-rl                                |
| Project                | 7e5ec032563948eeb3f443c9ca258f71     |
| Protocol               | icmp                                 |
| Shared                 | False                                |
| Source IP Address      | None                                 |
| Source Port            | 23                                   |
| firewall_policy_id     | None                                 |
| project_id             | 7e5ec032563948eeb3f443c9ca258f71     |
+------------------------+--------------------------------------+


when icmp + port is not allowed this should be validated while updating rule.

There should be a validation needed while updating firewall rules to
check if port is specified and the protocol is icmp.


The traces are here,

^[[00;36mINFO neutron.wsgi [^[[01;36mNone 
req-86f01b1f-f413-4aa4-82d2-74d03ec57e85 ^[[00;36madmin admin^[[00;36m] 
^[[01;35m^[[00;36m10.144.139.12 "GET /v2.0/fwaas/firewall_rules?name=bg-rl 
HTTP/1.1" status: 200  len: 624 time: 0.0692658^[[00m^[[00m
^[[00;32mDEBUG neutron.api.v2.base [^[[01;36mNone 
req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] 
^[[01;35m^[[00;32mRequest body: {u'firewall_rule': {u'protocol': 
u'icmp'}}^[[00m ^[[00;33m{{(pid=28763) prepare_request_body 
/opt/stack/neutron/neutron/api/v2/base.py:716}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone 
req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] 
^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2
 method get_firewall_rule called with arguments (<neutron_lib.context.Context 
object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'fields': 
['firewall_policy_id', 'id', 'shared', 'project_id', 'tenant_id']}^[[00m 
^[[00;33m{{(pid=28763) wrapper 
/usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone 
req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] 
^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2
 method update_firewall_rule called with arguments 
(<neutron_lib.context.Context object at 0x7f8ee5ddde10>, 
u'79f8c59e-38bc-4b45-afff-fe963df4080d') {'firewall_rule': {u'firewall_rule': 
{u'protocol': u'icmp'}}}^[[00m ^[[00;33m{{(pid=28763) wrapper 
/usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone 
req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] 
^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2
 method get_firewall_rule called with arguments (<neutron_lib.context.Context 
object at 0x7f8ee5ddde10>, u'79f8c59e-38bc-4b45-afff-fe963df4080d') {}^[[00m 
^[[00;33m{{(pid=28763) wrapper 
/usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_fwaas.services.firewall.fwaas_plugin_v2 [^[[01;36mNone 
req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] 
^[[01;35m^[[00;32mneutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2
 method get_firewall_policies called with arguments 
(<neutron_lib.context.Context object at 0x7f8ee5ddde10>,) {'filters': 
{'tenant_id': [u'7e5ec032563948eeb3f443c9ca258f71'], 'firewall_rules': 
[u'79f8c59e-38bc-4b45-afff-fe963df4080d']}}^[[00m ^[[00;33m{{(pid=28763) 
wrapper 
/usr/local/lib/python2.7/dist-packages/oslo_log/helpers.py:66}}^[[00m^[[00m
^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone 
req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] 
^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, after_update^[[00m 
^[[00;33m{{(pid=28763) _notify_loop 
/usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m
^[[00;32mDEBUG neutron_lib.callbacks.manager [^[[01;36mNone 
req-b5132d41-3e1e-47b0-8f68-fbb7cb44d578 ^[[00;36madmin admin^[[00;32m] 
^[[01;35m^[[00;32mNotify callbacks [] for firewall_rule, before_response^[[00m 
^[[00;33m{{(pid=28763) _notify_loop 
/usr/local/lib/python2.7/dist-packages/neutron_lib/callbacks/manager.py:193}}^[[00m^[[00m

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
[Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when 
source/destination port is specified which should not be allowed 
https://bugs.launchpad.net/bugs/1816955
You received this bug notification because you are a member of Yahoo! 
Engineering Team, which is subscribed to neutron.

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to