<div dir="ltr">Neutron security groups are stateful. A response should be able to come back without ingress rules regardless of the use of iptables. </div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 11, 2015 at 12:25 AM, Tikkanen, Viktor (Nokia - FI/Espoo) <span dir="ltr"><<a href="mailto:viktor.tikkanen@nokia.com" target="_blank">viktor.tikkanen@nokia.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<br>
We have a scenario tempest test case (test_cross_tenant_traffic) which<br>
assumes that an instance should be able to receive icmp echo responses<br>
even when no ingress security rules are defined for that instance.<br>
<br>
I don't take a stand on iptables-based security group implementation<br>
details (this was discussed e.g. here:<br>
<a href="http://lists.openstack.org/pipermail/openstack-dev/2015-April/060989.html" rel="noreferrer" target="_blank">http://lists.openstack.org/pipermail/openstack-dev/2015-April/060989.html</a><br>
) but rather on tempest logic.<br>
<br>
Do we have some requirement(s) that incoming packets with ESTABLISHED<br>
state should be accepted regardless of security rules? If so, does it<br>
really concern also ICMP packets?<br>
<br>
And if there are no such requirements, should we e.g. parameterize the<br>
test case so that it will be skipped when no iptables-based firewall<br>
drivers are used?<br>
<br>
-Viktor<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div>Kevin Benton</div></div>
</div>