neutron

ICMPv6 is not an available protocol when creating Firewall-Rule

Bug #1799904 reported by Yue Qu
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Unassigned

Bug Description

When creating IPv6 firewall rule, the network protocol that can be selected is ICMP TCP UDP or null,but in fact, ICMPv6 is the message control protocol we actually need for the firewall rule whose ip-version = 6.

I tried to create a firewall rule whose "ip-version=6 ,protocol = ICMP".
After the creation,in the ip6tables of the router, the effective rules are as follows:

-A neutron-l3-agent-ov6a99ac434 -p icmp -j ACCEPT
-A neutron-l3-agent-iv6a99ac434 -p icmp -j ACCEPT

In ip6tables, ICMP cannot control the ipv6 data packet, which means that the above two rules are invalid.

In summary: 1) I think we should list ICMPv6 as an optional protocol when creating firewall rules.

            2) Or when creating firewall rule whose "ip-version=6 ,protocol = ICMP", we should consider that the "ICMP"
            specified here refers to ICMPv6.

Yue Qu (bruceq-)
Changed in neutron:
assignee: nobody → Yue Qu (bruceq-)
Revision history for this message
Brian Haley (brian-haley) wrote :

The first thing I noticed is that the rules you pasted are from the l3-agent, is this related to FWaaS and not the SG code in neutron?

Because the following works for me for SG:

$ openstack security group rule create --ingress --protocol icmp --ethertype IPv6 default

# ip6tables-save | grep icmp
-A neutron-openvswi-ib3229831-9 -p ipv6-icmp -j RETURN

That has 'ipv6-icmp' unlike the output you pasted, and it's the L2 agent.

So if this is FWaaS then perhaps they have a bug in how iptables rules are being generated, the base neutron code has some logic to deal with this case specially.

Yue Qu (bruceq-)
Changed in neutron:
status: New → In Progress
Revision history for this message
Yue Qu (bruceq-) wrote :

Yes Brian, this bug is only related to FWaaS , the SG works well

Yue Qu (bruceq-)
Changed in neutron:
status: In Progress → New
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/618388

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/618388
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=fa48d16d694269b6b4245b90454448f8e9895ed8
Submitter: Zuul
Branch: master

commit fa48d16d694269b6b4245b90454448f8e9895ed8
Author: quyue <email address hidden>
Date: Fri Nov 16 10:35:04 2018 +0800

    ICMPv6 is not an available protocol when creating firewall rule

    When creating IPv6 firewall rule, the network protocol that can be
    selected is ICMP TCP UDP or null.
    But in fact, ICMPv6 is the message control protocol we actually need
    for the firewall rule whose ip-version = 6.

    This patch fixes this bug with the following logic:
    When creating firewall rule whose "ip-version = 6, protocol = ipv6-icmp"
    , we should consider that the "icmp" refers to "ipv6-icmp".

    Closes-Bug: #1799904
    Change-Id: I27cff5ba9986f30fa4c7ddb12db920300edd521b

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-fwaas 14.0.0.0b1

This issue was fixed in the openstack/neutron-fwaas 14.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/680753

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Yue Qu (bruceq-) → nobody
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-fwaas (stable/rocky)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/680753
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.