[openstack-dev] [neutron][tempest] iptables-based security groups / accepting ingress ICMP

Kevin Benton blak111 at gmail.com
Fri Sep 11 07:50:47 UTC 2015


Neutron security groups are stateful. A response should be able to come
back without ingress rules regardless of the use of iptables.

On Fri, Sep 11, 2015 at 12:25 AM, Tikkanen, Viktor (Nokia - FI/Espoo) <
viktor.tikkanen at nokia.com> wrote:

> Hi!
>
> We have a scenario tempest test case (test_cross_tenant_traffic) which
> assumes that an instance should be able to receive icmp echo responses
> even when no ingress security rules are defined for that instance.
>
> I don't take a stand on iptables-based security group implementation
> details (this was discussed e.g. here:
> http://lists.openstack.org/pipermail/openstack-dev/2015-April/060989.html
> ) but rather on tempest logic.
>
> Do we have some requirement(s) that incoming packets with ESTABLISHED
> state should be accepted regardless of security rules? If so, does it
> really concern also ICMP packets?
>
> And if there are no such requirements, should we e.g. parameterize the
> test case so that it will be skipped when no iptables-based firewall
> drivers are used?
>
> -Viktor
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150911/f6cb74ec/attachment.html>


More information about the OpenStack-dev mailing list