[Fwaasv1][Fwaasv2]can update a firewall rule with icmp protocol when source/destination port is specified which should not be allowed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Low
|
Unassigned |
Bug Description
firewall group rule with protocol: icmp, source/destination port, and action any
it throws the following error,
nicira@
Source, destination port are not allowed when protocol is set to ICMP.
Neutron server returns request_ids: ['req-09cc6a16-
but when user created a firewall group rule with protocol: tcp and --source-port:23
nnicira@
+------
| Field | Value |
+------
| Action | deny |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | 79f8c59e-
| IP Version | 4 |
| Name | bg-rl |
| Project | 7e5ec032563948e
| Protocol | tcp |
| Shared | False |
| Source IP Address | None |
| Source Port | 23 |
| firewall_policy_id | None |
| project_id | 7e5ec032563948e
+------
and updated it with protocol icmp it allows.
nicira@
nicira@
+------
| Field | Value |
+------
| Action | deny |
| Description | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| ID | 79f8c59e-
| IP Version | 4 |
| Name | bg-rl |
| Project | 7e5ec032563948e
| Protocol | icmp |
| Shared | False |
| Source IP Address | None |
| Source Port | 23 |
| firewall_policy_id | None |
| project_id | 7e5ec032563948e
+------
when icmp + port is not allowed this should be validated while updating rule.
There should be a validation needed while updating firewall rules to check if port is specified and the protocol is icmp.
The traces are here,
^[[00;36mINFO neutron.wsgi [^[[01;36mNone req-86f01b1f-
^[[00;32mDEBUG neutron.api.v2.base [^[[01;36mNone req-b5132d41-
^[[00;32mDEBUG neutron_
^[[00;32mDEBUG neutron_
^[[00;32mDEBUG neutron_
^[[00;32mDEBUG neutron_
^[[00;32mDEBUG neutron_
^[[00;32mDEBUG neutron_
This is not a CLI bug. This should be fixed in neutron-fwaas.