[openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group

Xuhan Peng pengxuhan at gmail.com
Fri Mar 7 02:02:26 UTC 2014 

I opened a bug [1] and submitted a patch [2] to solve this short term
(hopefully for Icehouse)

[1] https://bugs.launchpad.net/neutron/+bug/1289088
[2] https://review.openstack.org/#/c/78835/

Xuhan


On Thu, Mar 6, 2014 at 5:42 PM, Xuhan Peng <pengxuhan at gmail.com> wrote:

> Sean, you are right. It doesn't work at all.
>
> So I think short term goal is to get that fixed for ICMP and long term
> goal is to write an extension as Amir pointed out?
>
>
> On Wed, Mar 5, 2014 at 1:55 AM, Collins, Sean <
> Sean_Collins2 at cable.comcast.com> wrote:
>
>> On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote:
>> > On 03/03/2014 11:18 AM, Collins, Sean wrote:
>> > > On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote:
>> > >> Currently, only security group rule direction, protocol, ethertype
>> and port
>> > >> range are supported by neutron security group rule data structure.
>> To allow
>> > >
>> > > If I am not mistaken, I believe that when you use the ICMP protocol
>> > > type, you can use the port range specs to limit the type.
>> > >
>> > >
>> https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309
>> > >
>> > > http://i.imgur.com/3n858Pf.png
>> > >
>> > > I assume we just have to check and see if it applies to ICMPv6?
>> >
>> > I tried using horizon to add an icmp type/code rule, and it didn't work.
>> >
>> > Before:
>> >
>> > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
>> >
>> > After:
>> >
>> > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
>> > -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN
>> >
>> > I'd assume I'll have the same error with v6.
>> >
>> > I am curious what's actually being done under the hood here now...
>>
>> Looks like _port_arg just returns an empty array when hte protocol is
>> ICMP?
>>
>>
>> https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328
>>
>> Called by:
>>
>>
>> https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292
>>
>>
>> --
>> Sean M. Collins
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140307/afdc9cad/attachment.html>

More information about the OpenStack-dev mailing list