neutron

security rule with --protocol 255 does not gets programmed

Bug #1618082 reported by Serguei Bezverkhi
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Unassigned

Bug Description

With the latest master (August 29, 2016) I see an issue with neutron security group, these sequence of commands should create a group allowign all traffic in or out:

neutron security-group-create all-in-all-out
neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol 255 --remote-ip-prefix 0.0.0.0/0 all-in-all-out
neutron security-group-rule-create --direction ingress --ethertype ipv6 --protocol 255 --remote-ip-prefix ::/0 all-in-all-out

when this group gets attached to the instance, these rules do not get programmed. In order to be able to ping the instance from outside I need to add this rule:

neutron security-group-rule-create --direction ingress --ethertype ipv4 --protocol icmp --remote-ip-prefix 0.0.0.0/0 all-in-all-out

Revision history for this message
Brian Haley (brian-haley) wrote :

I think what you want to do is not specify any protocol, using 255 is going to add a rule for '-p 255', which is a reserved IANA protocol value.

Did this previously work?

Changed in neutron:
status: New → Incomplete
Revision history for this message
Serguei Bezverkhi (sbezverk) wrote :

Yes, it is used to work. Instead of specifying bunch of protocol, we were using wild cards to enable all protocols. If the behavior got changed, please let me know which value must be used to enable ALL protocol in one line.

Revision history for this message
Brian Haley (brian-haley) wrote :

I could not find any patch that would have changed this, and I correctly see a rule for protocol 255 being allowed when I try this:

# iptables-save | grep 255
-A neutron-openvswi-i2232cefa-0 -p 255 -j RETURN

Since 255 is a valid, although reserved, protocol value, the code seems to be operating normally. For what you're trying to do you should not be specifying any --protocol value - 255 is not a wildcard.

Changed in neutron:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.