neutron

fwaas:Error not thrown when setting protocol is icmp and destination /source port while creating firewall rule

Bug #1327955 reported by Rajkumar on 2014-06-09

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Elena Ezhova	neutron 2014.2 "juno"

Bug Description

Error not thrown when setting protocol as icmp and destination /source port while creating firewall rule

Steps to Reproduce:
create firewall rule with protocol as icmp and destination port as 20

Actual Results:
It is creating firewal rule with protocol as icmp and destination port as 20 in cli. However since icmp protocol doesn't use source/destination port , It was taken only as ICMP in the output of iptable-save in router

Expected Results:
the cli should throw error

-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-iv426dd1dbb
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-ov426dd1dbb
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
-A neutron-l3-agent-fwaas-defau -j DROP
-A neutron-l3-agent-iv426dd1dbb -m state --state INVALID -j DROP
-A neutron-l3-agent-iv426dd1dbb -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv426dd1dbb -p icmp -j DROP------------------------------------------------------------------------->taken as only icmp
-A neutron-l3-agent-ov426dd1dbb -m state --state INVALID -j DROP
-A neutron-l3-agent-ov426dd1dbb -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov426dd1dbb -p icmp -j DROP

Tags:

Eugene Nikanorov (enikanorov) on 2014-06-09

Changed in neutron:
assignee:	nobody → Eugene Nikanorov (enikanorov)

Eugene Nikanorov (enikanorov) on 2014-06-09

summary:

- fwaas:Error not thrown when setting protocol as icmp and destination
+ fwaas:Error not thrown when setting protocol is icmp and destination
/source port while creating firewall rule

Elena Ezhova (eezhova) on 2014-06-10

Changed in neutron:
assignee:	Eugene Nikanorov (enikanorov) → Elena Ezhova (eezhova)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-11: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/99372

Changed in neutron:
status:	New → In Progress

Sumit Naiksatam (snaiksat) on 2014-06-20

Changed in neutron:
importance:	Undecided → Medium
milestone:	none → juno-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-20: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/99372
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b2a6e558d82f22623e439b8c0380f05afc778f6c
Submitter: Jenkins
Branch: master

commit b2a6e558d82f22623e439b8c0380f05afc778f6c
Author: Elena Ezhova <email address hidden>
Date: Wed Jun 11 17:25:40 2014 +0400

Check port value when creating firewall rule with icmp protocol

    If a firewall rule was created with setting protocol as icmp
    and using source/destination port no error was thrown, even though
    source/destination port parameters are not used by icmp.

This patch adds a validation method that checks passed parameters
and throws an exception if they are incompatible.

Change-Id: I90a765856896395fcb6e9ddbd888b7bd80480674
Closes-Bug: 1327955

Changed in neutron:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-23

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in neutron:
milestone:	juno-2 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.