Created attachment 765551 [details] sample patch (just to indicate the cause of the problem) Description of problem: You cannot add a security group rule such as: protocol: icmp type: 8 code: 0 It causes the following error: 2013-06-26 21:15:47.348 15711 TRACE nova.api.openstack QuantumClientException: For TCP/UDP protocols, port_range_min must be <= port_range_max I'm using the Horizon dashboard to add the rule, but it would be the same for a direct API operation. Version-Release number of selected component (if applicable): # rpm -qa | grep quantum python-quantumclient-2.2.1-3.fc19.noarch python-quantum-2013.1.2-1.fc19.noarch openstack-quantum-openvswitch-2013.1.2-1.fc19.noarch openstack-quantum-2013.1.2-1.fc19.noarch Additional info: The problem lies in _validate_security_group_rules() in quantum/db/securitygroups_db.py In this function, the following condition is validated. rule['port_range_min'] <= rule['port_range_max'] But in the case of ICMP protocol rule, since rule['port_range_min'] and rule['port_range_max'] correspond to icmp type and code, this validation is wrong. Instead, the following condition should be checked. if ( rule['port_range_min'] >= -1 and rule['port_range_min'] <= 255 and rule['port_range_max'] >= -1 and rule['port_range_max'] <= 255): See the attachment for my patch, but this is just a quick hack. More fundamental refactoring should be done to handle different protocols separately.
A mitigation for this issue is to open ALL ICMP type range (set min==max==0). A more granular configuration, like enabling only ping (type-8), is not supported in the Havana code base.
Fixed upstream in July https://review.openstack.org/#/c/35736/