[openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
Collins, Sean
Sean_Collins2 at cable.comcast.com
Tue Mar 4 17:55:45 UTC 2014
On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote:
> On 03/03/2014 11:18 AM, Collins, Sean wrote:
> > On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote:
> >> Currently, only security group rule direction, protocol, ethertype and port
> >> range are supported by neutron security group rule data structure. To allow
> >
> > If I am not mistaken, I believe that when you use the ICMP protocol
> > type, you can use the port range specs to limit the type.
> >
> > https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309
> >
> > http://i.imgur.com/3n858Pf.png
> >
> > I assume we just have to check and see if it applies to ICMPv6?
>
> I tried using horizon to add an icmp type/code rule, and it didn't work.
>
> Before:
>
> -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
>
> After:
>
> -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
> -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
>
> I'd assume I'll have the same error with v6.
>
> I am curious what's actually being done under the hood here now...
Looks like _port_arg just returns an empty array when hte protocol is
ICMP?
https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328
Called by:
https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292
--
Sean M. Collins
More information about the OpenStack-dev
mailing list
