neutron

ovsfw ignores icmp_{type,code}

Bug #1708358 reported by IWAMOTO Toshihiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
IWAMOTO Toshihiro
neutron pike-rc2 "p-rc2"

Bug Description

The SG code uses port_range_{min,max} fields for ICMP type/code.
iptables_firewall handles that correctly but ovsfw lacks that knowledge, resulting in those fields ignored by the ovsfw driver.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/490346

Changed in neutron:
assignee: nobody → IWAMOTO Toshihiro (iwamoto)
status: New → In Progress
Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

cf. https://bugs.launchpad.net/neutron/+bug/1582500
    https://review.openstack.org/#/c/427670

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: IWAMOTO Toshihiro (iwamoto) → Jakub Libosvar (libosvar)
Jakub Libosvar (libosvar)
Changed in neutron:
assignee: Jakub Libosvar (libosvar) → IWAMOTO Toshihiro (iwamoto)
Jakub Libosvar (libosvar)
Changed in neutron:
milestone: none → pike-rc2
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/490346
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b82db0a9f24e16f426d9f693b7971bef4e080a7f
Submitter: Jenkins
Branch: master

commit b82db0a9f24e16f426d9f693b7971bef4e080a7f
Author: IWAMOTO Toshihiro <email address hidden>
Date: Thu Aug 3 15:36:33 2017 +0900

    ovsfw: Fix up port_range and ICMP type/code handling

    port_range_min/max should be read as ICMP type/code for ICMP(V6).

    Change-Id: I65157037038d11464902c0311eb4c54b84f60c72
    Closes-bug: #1708358

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/501949

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/501949
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=82e13a257c55cfe9c8de6b7cce3f1efce2c11695
Submitter: Jenkins
Branch: stable/pike

commit 82e13a257c55cfe9c8de6b7cce3f1efce2c11695
Author: IWAMOTO Toshihiro <email address hidden>
Date: Thu Aug 3 15:36:33 2017 +0900

    ovsfw: Fix up port_range and ICMP type/code handling

    port_range_min/max should be read as ICMP type/code for ICMP(V6).

    Change-Id: I65157037038d11464902c0311eb4c54b84f60c72
    Closes-bug: #1708358
    (cherry picked from commit b82db0a9f24e16f426d9f693b7971bef4e080a7f)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.1

This issue was fixed in the openstack/neutron 11.0.1 release.

Revision history for this message
Zachary Ma (mazengxie) wrote :

why port_range_min/max should be read as ICMP type ? ICMP protocol doesn't need port.

Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

Those port_range DB columns (or rpc parameters) should be interpreted as icmp type/code when protocol == icmp or icmpv6.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b1

This issue was fixed in the openstack/neutron 12.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.