** Changed in: neutron Status: Fix Committed => Fix Released ** Changed in: neutron Milestone: None => juno-1
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1301838 Title: SG rule should not allow an ICMP Policy when icmp-code alone is provided. Status in OpenStack Neutron (virtual network service): Fix Released Bug description: When we add a Security Group ICMP rule with icmp-type/code, the rule gets added properly and it translates to an appropriate firewall policy. It was noticed that when adding a security group rule, without providing the icmp-type (port-range-min) and only providing the icmp- code (port-range-max) no error is reported, but there is a mismatch with the iptables rule (a generic icmp policy gets added) Example: neutron --debug security-group-rule-create 4b3a5866-8cdd-4e15-b51b-9523ede2f6f8 --protocol icmp --direction ingress --ethertype ipv4 --port-range-max 4 translates to a iptables rule like -A neutron-openvswi-i49e920d5-c -p icmp -j RETURN The Security Group rules listing in Horizon/neutron-client display the icmp rule with port-range as None-<icmp-code>. This could be misleading and is inconsistent. It would be good if validation is done on the input to check that "--port-range-max" is passed when "--port-range-min" is provided so that SG Group rules are consistent with the iptable rules that are added. Please note: iptables does not allow us to add an icmp rule when an icmp-type is not provided and only icmp-code is provided. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1301838/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp