Public bug reported: When we add an Security Group ICMP rule with icmp-type/code, the rule gets added properly and it translates to an appropriate firewall policy.
It was noticed that when adding a security group rule, without providing the icmp-type and only providing the icmp-code, there is no error. But the iptables rule that gets added is a generic one. Example: neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4 translates to a iptables rule like -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>. This could be misleading as it is inconsistent. It would be good if validation is done when "--port-range-max" is passed without providing the "--port-range-min" so that SG Group rules are consistent with the iptable rules that are added. ** Affects: neutron Importance: Undecided Assignee: Sridhar Gaddam (sridhargaddam) Status: New ** Changed in: neutron Assignee: (unassigned) => Sridhar Gaddam (sridhargaddam) ** Description changed: - When we add an Security Group ICMP Policy with icmp-type/code, the - policy gets added properly and it translates to an appropriate firewall - policy. + When we add an Security Group ICMP rule with icmp-type/code, the rule + gets added properly and it translates to an appropriate firewall policy. - It was noticed that when adding a security group policy, without providing the icmp-type and only providing the icmp-code, there is no error. - But the iptables rule that gets added is a generic one. + It was noticed that when adding a security group rule, without providing the icmp-type and only providing the icmp-code, there is no error. + But the iptables rule that gets added is a generic one. Example: neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4 - translates to a iptables rule like - -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN + translates to a iptables rule like + -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN - The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>. - This could be misleading as it is inconsistent. + The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>. + This could be misleading as it is inconsistent. It would be good if validation is done when "--port-range-max" is passed without providing the "--port-range-min" so that SG Group rules are consistent with the iptable rules that are added. -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1301838 Title: SG rule should not allow an ICMP Policy when icmp-code alone is provided. Status in OpenStack Neutron (virtual network service): New Bug description: When we add an Security Group ICMP rule with icmp-type/code, the rule gets added properly and it translates to an appropriate firewall policy. It was noticed that when adding a security group rule, without providing the icmp-type and only providing the icmp-code, there is no error. But the iptables rule that gets added is a generic one. Example: neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4 translates to a iptables rule like -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>. This could be misleading as it is inconsistent. It would be good if validation is done when "--port-range-max" is passed without providing the "--port-range-min" so that SG Group rules are consistent with the iptable rules that are added. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1301838/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp