[openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group

Xuhan Peng pengxuhan at gmail.com
Thu Mar 6 09:42:43 UTC 2014


Sean, you are right. It doesn't work at all.

So I think short term goal is to get that fixed for ICMP and long term goal
is to write an extension as Amir pointed out?


On Wed, Mar 5, 2014 at 1:55 AM, Collins, Sean <
Sean_Collins2 at cable.comcast.com> wrote:

> On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote:
> > On 03/03/2014 11:18 AM, Collins, Sean wrote:
> > > On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote:
> > >> Currently, only security group rule direction, protocol, ethertype
> and port
> > >> range are supported by neutron security group rule data structure. To
> allow
> > >
> > > If I am not mistaken, I believe that when you use the ICMP protocol
> > > type, you can use the port range specs to limit the type.
> > >
> > >
> https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309
> > >
> > > http://i.imgur.com/3n858Pf.png
> > >
> > > I assume we just have to check and see if it applies to ICMPv6?
> >
> > I tried using horizon to add an icmp type/code rule, and it didn't work.
> >
> > Before:
> >
> > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
> >
> > After:
> >
> > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
> > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
> >
> > I'd assume I'll have the same error with v6.
> >
> > I am curious what's actually being done under the hood here now...
>
> Looks like _port_arg just returns an empty array when hte protocol is
> ICMP?
>
>
> https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328
>
> Called by:
>
>
> https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292
>
>
> --
> Sean M. Collins
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140306/2a5141b2/attachment.html>


More information about the OpenStack-dev mailing list