ICMPv6 is not an available protocol when creating Firewall-Rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When creating IPv6 firewall rule, the network protocol that can be selected is ICMP TCP UDP or null,but in fact, ICMPv6 is the message control protocol we actually need for the firewall rule whose ip-version = 6.
I tried to create a firewall rule whose "ip-version=6 ,protocol = ICMP".
After the creation,in the ip6tables of the router, the effective rules are as follows:
-A neutron-
-A neutron-
In ip6tables, ICMP cannot control the ipv6 data packet, which means that the above two rules are invalid.
In summary: 1) I think we should list ICMPv6 as an optional protocol when creating firewall rules.
2) Or when creating firewall rule whose "ip-version=6 ,protocol = ICMP", we should consider that the "ICMP"
Changed in neutron: | |
assignee: | nobody → Yue Qu (bruceq-) |
Changed in neutron: | |
status: | New → In Progress |
Changed in neutron: | |
status: | In Progress → New |
The first thing I noticed is that the rules you pasted are from the l3-agent, is this related to FWaaS and not the SG code in neutron?
Because the following works for me for SG:
$ openstack security group rule create --ingress --protocol icmp --ethertype IPv6 default
# ip6tables-save | grep icmp openvswi- ib3229831- 9 -p ipv6-icmp -j RETURN
-A neutron-
That has 'ipv6-icmp' unlike the output you pasted, and it's the L2 agent.
So if this is FWaaS then perhaps they have a bug in how iptables rules are being generated, the base neutron code has some logic to deal with this case specially.