ICMPv6 is not an available protocol when creating Firewall-Rule

Bug #1799904 reported by Yue Qu on 2018-10-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
Yue Qu

Bug Description

When creating IPv6 firewall rule, the network protocol that can be selected is ICMP TCP UDP or null,but in fact, ICMPv6 is the message control protocol we actually need for the firewall rule whose ip-version = 6.

I tried to create a firewall rule whose "ip-version=6 ,protocol = ICMP".
After the creation,in the ip6tables of the router, the effective rules are as follows:

-A neutron-l3-agent-ov6a99ac434 -p icmp -j ACCEPT
-A neutron-l3-agent-iv6a99ac434 -p icmp -j ACCEPT

In ip6tables, ICMP cannot control the ipv6 data packet, which means that the above two rules are invalid.

In summary: 1) I think we should list ICMPv6 as an optional protocol when creating firewall rules.

            2) Or when creating firewall rule whose "ip-version=6 ,protocol = ICMP", we should consider that the "ICMP"
            specified here refers to ICMPv6.

Yue Qu (bruceq-) on 2018-10-25
Changed in neutron:
assignee: nobody → Yue Qu (bruceq-)
Brian Haley (brian-haley) wrote :

The first thing I noticed is that the rules you pasted are from the l3-agent, is this related to FWaaS and not the SG code in neutron?

Because the following works for me for SG:

$ openstack security group rule create --ingress --protocol icmp --ethertype IPv6 default

# ip6tables-save | grep icmp
-A neutron-openvswi-ib3229831-9 -p ipv6-icmp -j RETURN

That has 'ipv6-icmp' unlike the output you pasted, and it's the L2 agent.

So if this is FWaaS then perhaps they have a bug in how iptables rules are being generated, the base neutron code has some logic to deal with this case specially.

Yue Qu (bruceq-) on 2018-11-08
Changed in neutron:
status: New → In Progress
Yue Qu (bruceq-) wrote :

Yes Brian, this bug is only related to FWaaS , the SG works well

Yue Qu (bruceq-) on 2018-11-14
Changed in neutron:
status: In Progress → New

Fix proposed to branch: master
Review: https://review.openstack.org/618388

Changed in neutron:
status: New → In Progress

Reviewed: https://review.openstack.org/618388
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=fa48d16d694269b6b4245b90454448f8e9895ed8
Submitter: Zuul
Branch: master

commit fa48d16d694269b6b4245b90454448f8e9895ed8
Author: quyue <email address hidden>
Date: Fri Nov 16 10:35:04 2018 +0800

    ICMPv6 is not an available protocol when creating firewall rule

    When creating IPv6 firewall rule, the network protocol that can be
    selected is ICMP TCP UDP or null.
    But in fact, ICMPv6 is the message control protocol we actually need
    for the firewall rule whose ip-version = 6.

    This patch fixes this bug with the following logic:
    When creating firewall rule whose "ip-version = 6, protocol = ipv6-icmp"
    , we should consider that the "icmp" refers to "ipv6-icmp".

    Closes-Bug: #1799904
    Change-Id: I27cff5ba9986f30fa4c7ddb12db920300edd521b

Changed in neutron:
status: In Progress → Fix Released

This issue was fixed in the openstack/neutron-fwaas 14.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers