SG rule should not allow an ICMP Policy when icmp-code alone is provided.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Sridhar Gaddam | ||
Icehouse |
New
|
Undecided
|
Unassigned |
Bug Description
When we add a Security Group ICMP rule with icmp-type/code, the rule gets added properly and it translates to an appropriate firewall policy.
It was noticed that when adding a security group rule, without providing the icmp-type (port-range-min) and only providing the icmp-code (port-range-max) no error is reported, but there is a mismatch with the iptables rule (a generic icmp policy gets added)
Example:
neutron --debug security-
translates to a iptables rule like
-A neutron-
The Security Group rules listing in Horizon/
This could be misleading and is inconsistent.
It would be good if validation is done on the input to check that "--port-range-max" is passed when "--port-range-min" is provided so that SG Group rules are consistent with the iptable rules that are added.
Please note: iptables does not allow us to add an icmp rule
when an icmp-type is not provided and only icmp-code is provided.
Changed in neutron: | |
assignee: | nobody → Sridhar Gaddam (sridhargaddam) |
description: | updated |
description: | updated |
Changed in neutron: | |
status: | New → In Progress |
description: | updated |
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
milestone: | none → juno-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-1 → 2014.2 |
Fix proposed to branch: master /review. openstack. org/85026
Review: https:/