ICMP secgroup rule must have --dst-port -1 to actually allow ICMP
Bug #1477629 reported by
Jordan Pittier
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-openstackclient |
Fix Released
|
Medium
|
Dean Troyer | ||
Bug Description
Hi,
Currently the correct syntax to authorize 'all ICMP traffic' is "openstack security group rule create default --proto icmp --dst-port -1". --dst-port -1 has to be specified. If you forget this part, then the rule is created okay (implicitly with --dst-port 0:0) which doesn"t work, ie you can't ping your VM.
It will be more user friendly if we could just "openstack security group rule create default --proto icmp", and OSC would fill the '-1' under the hood to make Nova happy.
| Changed in python-openstackclient: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in python-openstackclient: | |
| assignee: | nobody → Dean Troyer (dtroyer) |
| Changed in python-openstackclient: | |
| status: | Triaged → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to python-openstackclient (master) | #1 |
| Changed in python-openstackclient: | |
| status: | In Progress → Fix Committed |
| Changed in python-openstackclient: | |
| milestone: | none → 1.7.0 |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit e6706f252642e52
Author: Dean Troyer <email address hidden>
Date: Thu Jul 23 15:08:52 2015 -0500
Properly handle port arguments for ICMP
The Compute API requires 'from_port' and 'to_port' to be -1 for
ICMP security group rules. It happily accepts them empty or None
but the resulting rules do not work. So we force the values for
ICMP rules.
Closes-bug: #1477629
Change-Id: Iba57211014caca