<div dir="ltr">Sean, you are right. It doesn't work at all. <br><br>So I think short term goal is to get that fixed for ICMP and long term goal is to write an extension as Amir pointed out?<br></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Mar 5, 2014 at 1:55 AM, Collins, Sean <span dir="ltr"><<a href="mailto:Sean_Collins2@cable.comcast.com" target="_blank">Sean_Collins2@cable.comcast.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote:<br>
> On 03/03/2014 11:18 AM, Collins, Sean wrote:<br>
> > On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote:<br>
> >> Currently, only security group rule direction, protocol, ethertype and port<br>
> >> range are supported by neutron security group rule data structure. To allow<br>
> ><br>
> > If I am not mistaken, I believe that when you use the ICMP protocol<br>
> > type, you can use the port range specs to limit the type.<br>
> ><br>
> > <a href="https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309" target="_blank">https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309</a><br>
> ><br>
> > <a href="http://i.imgur.com/3n858Pf.png" target="_blank">http://i.imgur.com/3n858Pf.png</a><br>
> ><br>
> > I assume we just have to check and see if it applies to ICMPv6?<br>
><br>
> I tried using horizon to add an icmp type/code rule, and it didn't work.<br>
><br>
> Before:<br>
><br>
> -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN<br>
><br>
> After:<br>
><br>
> -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN<br>
> -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN<br>
><br>
> I'd assume I'll have the same error with v6.<br>
><br>
> I am curious what's actually being done under the hood here now...<br>
<br>
</div>Looks like _port_arg just returns an empty array when hte protocol is<br>
ICMP?<br>
<br>
<a href="https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328" target="_blank">https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328</a><br>

<br>
Called by:<br>
<br>
<a href="https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292" target="_blank">https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292</a><br>

<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Sean M. Collins<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div>