neutron

ICMP security group rules should have a type and code params instead of using "--port-range-min" and "--port-range-max"

Bug #1251224 reported by Rami Vaknin
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

Version
======
Havana on rhel

Description
=========
I couldn't find a doc specifying whether icmp security group rules ignore the "--port-range-min" and "--port-range-max" params or use then as code and type as we know from nova security group rules.
I think that it should be:

i. Well documented.
ii. prohibited for use of "--port-range-min" and "--port-range-max" in icmp rules context, new switches should be created for code and type.

Revision history for this message
Rami Vaknin (rvaknin) wrote :

I would expect the following doc to be updated:
http://docs.openstack.org/network-admin/admin/content/securitygroup_api_abstractions.html

Mark McClain (markmcclain)
tags: added: l3-ipam-dhcp
Changed in neutron:
assignee: nobody → Edgar Magana (emagana)
status: New → Triaged
importance: Undecided → Medium
tags: added: doc
Revision history for this message
Anthony Chow (vcloudernbeer) wrote :

Is this bug available to be worked on? It is assigned to Edgar Magana but no update since Dec 2013. I can take up this task.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Would need to be verified on latest and supported releases Kilo and Liberty.

Changed in neutron:
assignee: Edgar Magana (emagana) → nobody
tags: added: low-hanging-fruit
Changed in neutron:
status: Triaged → Confirmed
status: Confirmed → Incomplete
Revision history for this message
Akihiro Motoki (amotoki) wrote :

ICMP type and code is described in our API site, but the description looks wrong.
Both port_range_min and max mention ICMP type. Either of them should be ICMP code.
It is a bug in openstack manuals.
http://developer.openstack.org/api-ref-networking-v2-ext.html#createSecGroupRule

Agree that neutronclient help message can be improved.
I will add neutronclient to the affected project.

On the other hand, I don't agree we should prohibit the usage of port-range-min/max for ICMP code/type.
It breaks the backward compatibility and affects existing applications.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I filed a bug 1523063 in neutronclient.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

One idea is to add icmp-type/code attribute to the security group rule resource.
We can still use port-range-min/max to specify ICMP type/code. If both are specified we can return a bad request response.
I think it is easier to understand without reading a documentation every time we need to specify ICMP.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
Revision history for this message
Anthony Chow (vcloudernbeer) wrote :

amotoki

Are you working on this bug, if not I would like to make the documentation changes to the OpenStack manual

http://developer.openstack.org/api-ref-networking-v2-ext.html#createSecGroupRule

Or this is it for this bug? I am new to OpenStack.

thanks,

anthony.

Revision history for this message
Itzik Brown (itzikb1) wrote :

Still relevant in Newton.

Changed in neutron:
status: Expired → Confirmed
Revision history for this message
Anthony Chow (vcloudernbeer) wrote :

I would like to work on this bug. Assigning this bug to myself for now. I will raise this on the next IRC meeting.

Changed in neutron:
assignee: nobody → Anthony Chow (vcloudernbeer)
Ihar Hrachyshka (ihar-hrachyshka)
tags: removed: l3-ipam-dhcp
Revision history for this message
Boden R (boden) wrote :

Moving to invalid/unassigned and will timeout in 60 days as-is.

If additional work is needed and in scope please reassign.

Changed in neutron:
status: Confirmed → Invalid
importance: Medium → Undecided
assignee: Anthony Chow (vcloudernbeer) → nobody
status: Invalid → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.