iptables security group driver failed to apply when rule protocol is icmp/icmpv6 alias
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Hunt Xu |
Bug Description
* Summary
When a security group rule is created with protocol number 1, 58 or icmpv6, with port_range_min supplied as icmp-type. Iptables security group driver will fail to apply the rules.
* Environment
devstack + openvswitch-agent + securitygroup firewall_
* Step-by-step reproduction steps:
1. Create a network and a subnet
2. boot a VM in the network
3. create a new security group rule as the followings in the SG of the VM's port:
- openstack security group rule create --ethertype IPv4 --icmp-type 8 --icmp-code 0 --protocol 1 --ingress <SG_ID>
- openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol 58 --ingress <SG_ID>
- openstack security group rule create --ethertype IPv6 --icmp-type 128 --icmp-code 0 --protocol icmpv6 --ingress <SG_ID>
4. check neutron-
* Expected output:
- SG rules are successfully created and applied on the port without errors
Actual output:
- SG rules are successfully created
- Errors in neutron-
- Wrong iptables/ip6tables rule is generated:
- "Stderr: iptables-restore v1.6.1: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP"
- -I neutron-
- -I neutron-
Changed in neutron: | |
assignee: | nobody → Hunt Xu (huntxu) |
Changed in neutron: | |
importance: | Undecided → Medium |
Fix proposed to branch: master /review. openstack. org/534263
Review: https:/