Comment 3 for bug 1323299

   I have created the security group only to allow icmp so that I can test using ping. I have created the firewall like below. I am able to ping the VM's floating ip(192.52.1.6) from network node(192.52.1.45) even though I have added rule for denying 192.52.1.0/24 however ping from VM to network node is denied as expected.
  One more observation is if I disable the second rule r2 which is "allow all", then the ping from network node to VM is blocked as expected since it hits the default rule "deny all".

root@IGA-OSC:~# neutron firewall-rule-show r1
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | deny |
| description | |
| destination_ip_address | 192.52.1.0/24 |
| destination_port | |
| enabled | True |
| firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 |
| id | fe18a16c-a792-4763-890e-3e0f37591b05 |
| ip_version | 4 |
| name | r1 |
| position | 1 |
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | d9481c57a11c46eea62886938b5378a7 |
+------------------------+--------------------------------------+
root@IGA-OSC:~# neutron firewall-rule-show r2
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | allow |
| description | |
| destination_ip_address | |
| destination_port | |
| enabled | True |
| firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 |
| id | a4d231de-bf05-4353-8c69-b1698b6b997d |
| ip_version | 4 |
| name | r2 |
| position | 2 |
| protocol | |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | d9481c57a11c46eea62886938b5378a7 |
+------------------------+--------------------------------------+
root@IGA-OSC:~# neutron firewall-policy-show p1
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| audited | False |
| description | |
| firewall_rules | fe18a16c-a792-4763-890e-3e0f37591b05 |
| | a4d231de-bf05-4353-8c69-b1698b6b997d |
| id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 |
| name | p1 |
| shared | False |
| tenant_id | d9481c57a11c46eea62886938b5378a7 |
+----------------+--------------------------------------+
root@IGA-OSC:~# neutron firewall-show f1
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 |
| id | 7a808890-c015-40e9-b1f8-a7c498a9fa70 |
| name | f1 |
| status | ACTIVE |
| tenant_id | d9481c57a11c46eea62886938b5378a7 |
+--------------------+--------------------------------------+
root@IGA-OSC:~# sgl
+--------------------------------------+---------+-------------+
| id | name | description |
+--------------------------------------+---------+-------------+
| 179ecb86-0bcc-4a65-9e5b-dd583cdded5d | default | default |
+--------------------------------------+---------+-------------+
root@IGA-OSC:~# sgrl
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 1f857515-6466-4e9e-aa13-4d579c2cd3ef | default | ingress | | | default |
| 5a3b13b8-2839-47f8-8d93-feeece9ea9f4 | default | egress | | | |
| 5f39ea2a-3a03-46cc-aa22-e722676629a9 | default | ingress | icmp | 0.0.0.0/0 | |
| 8e884c2c-0e47-4a97-8cb9-db09c9eea491 | default | ingress | tcp | | |
| bba8b5b4-74ba-4850-8742-4ffb25c19c82 | default | ingress | udp | | |
| bceb6300-142e-42d6-816d-1fbad7190c57 | default | ingress | | | default |
| e85aa835-490b-4c34-b2a9-726c4c4a0392 | default | egress | | | |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+