neutron

Cannot create ICMP secgroup rule with a specific type and any code

Bug #1197769 reported by Akihiro Motoki
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Akihiro Motoki
neutron 2013.2 "havana"

Bug Description

We cannot create a ICMP secgroup rule for a specific type with ANY type.

  quantum security-group-rule-create --protocol icmp --port-range-min 8 --remote-ip-prefix 0.0.0.0/0 default
  For TCP/UDP protocols, port_range_min must be <= port_range_max

The above means ICMP rule with type = 8 and code = ANY.
It should be accepted.

In addition, icmp type and icmp code are 8 bit field, so the values should be 0 to 255, but we can create a ICMP rule with type 10000 and code 12000. port range validation for a specific protocol should be done.

$ quantum security-group-rule-create --protocol icmp --port-range-min 10000 --port-range-max 12000 --remote-ip-prefix 0.0.0.0/0 default
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | 62822ee1-ee4f-4c65-9322-582f3a7a3063 |
| port_range_max | 12000 |
| port_range_min | 10000 |
| protocol | icmp |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | faad7c80-3b62-4440-967c-13808c37131d |
| tenant_id | 797885303e524308b76d97686b1c5698 |
+-------------------+--------------------------------------+

Tags: sg-fw
Revision history for this message
yong sheng gong (gongysh) wrote :

I think it is wrong to use port_range_min as icmp type in the first place.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/35736

Changed in neutron:
status: New → In Progress
Revision history for this message
Akihiro Motoki (amotoki) wrote :

I think it is confusing to use port_range_min/max to specify ICMP type/code though it is the way Nova secgroup API also uses.
From this point of view, it may be better to have icmp_type/code attributes as separate fields in API.
At least, it is better to have separate options in CLI and Dashboard. (Dashboard does this already).
I agree It is a discussion point for Havana or later.

On the other hand, we need to consider Grizzly release.
We need to ensure Grizzly release work as expected. It is the main goal of the proposed patch to gerrit.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/35736
Committed: http://github.com/openstack/neutron/commit/24e6ef332d11de4dc0d08ecf824ad216b2b6500c
Submitter: Jenkins
Branch: master

commit 24e6ef332d11de4dc0d08ecf824ad216b2b6500c
Author: Akihiro MOTOKI <email address hidden>
Date: Fri Jul 5 01:27:18 2013 +0900

    Limit min<=max port check to TCP/UDP in secgroup rule

    icmp_type and icmp_code are mapped to port_min_range and port_max_range
    respectively. For ICMP there is no constraint between type and code.
    Thus port range min<=max check should be enforced only for TCP and UDP.

    Also makes sure that ICMP type/code are 0 to 255 (both inclusive).
    Previously a value with 0 to 65535 were accepted for ICMP type/code.

    Fixes bug 1197760
    Fixes bug 1197769

    Change-Id: I70aaf6e02fee461fa97dc254db906d9efa173669

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → havana-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: havana-2 → 2013.2
Alan Pevec (apevec)
tags: removed: grizzly-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.