[openstack-dev] [neutron][tempest] iptables-based security groups / accepting ingress ICMP

Tikkanen, Viktor (Nokia - FI/Espoo) viktor.tikkanen at nokia.com
Fri Sep 11 07:25:37 UTC 2015


Hi!

We have a scenario tempest test case (test_cross_tenant_traffic) which
assumes that an instance should be able to receive icmp echo responses
even when no ingress security rules are defined for that instance.

I don't take a stand on iptables-based security group implementation
details (this was discussed e.g. here:
http://lists.openstack.org/pipermail/openstack-dev/2015-April/060989.html
) but rather on tempest logic.

Do we have some requirement(s) that incoming packets with ESTABLISHED
state should be accepted regardless of security rules? If so, does it
really concern also ICMP packets?

And if there are no such requirements, should we e.g. parameterize the
test case so that it will be skipped when no iptables-based firewall
drivers are used?

-Viktor



More information about the OpenStack-dev mailing list