Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Network - Core
Labels:
- egressfirewall

Target Version:
None
Activity Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request

EgressFirewall support for controlling ICMP traffic

2. What is the nature and description of the request?

Customers are using EgressFirewall objects to control which traffic is allowed from Pods within an OpenShift cluster to external destinations. The EgressFirewall object currently supports the TCP, UDP and SCTP protocols, but does not explicitly allow control over ICMP traffic.

This RFE requests ICMP support in EgressFirewall. Customers would like to allow ICMP traffic to certain IPs or subnets, while blocking all other traffic or allowing only certain traffic, see below for an example. This is similar to the requests in RFE-5662 (Add ICMP support to Network Policies) and RFE-6896 (ICMP Support in MultiNetworkPolicy), but for EgressFirewall objects.

3. Why does the customer need this? (List the business requirements here)

Customers are required to implement regulations regarding network security that include default deny-all rules. For example, customers may have the following default "deny-all" rule in place for all namespaces:

apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
  name: default
spec:
  egress:
   - to:
      cidrSelector: 0.0.0.0/0
    type: Deny

This blocks also ICMP traffic. Traget traffic to external hosts or subnets then has to be allowed explicitely by adding specific rules, e.g.

apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
  name: default
spec:
  egress:
   - ports:
        - port: 22
          protocol: tcp
      to:
        cidrSelector: 1.2.3.4/32
    type: Allow
   - to:
      cidrSelector: 0.0.0.0/0
    type: Deny

This allows connections to IP 1.2.3.4/32 on port 22/tcp. However, if customers want to allow port 22/tcp AND ICMP currently we are required to allow all traffic to this IP as there is no way to allow ICMP traffic explicitly:

apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
  name: default
spec:
  egress:
   - to:
        cidrSelector: 1.2.3.4/32
    type: Allow
   - to:
      cidrSelector: 0.0.0.0/0
    type: Deny

This allows any traffic (including ICMP) to 1.2.3.4. However customers are required to specify rules more granularly.

4. List any affected packages or components.

OVN-Kubernetes
EgressFirewall

relates to

RFE-6896 ICMP Support in MultiNetworkPolicy

Backlog

Assignee:: Marc Curry

Reporter:: Simon Krenger

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/08/12 8:31 AM

Updated:: 2025/10/10 1:27 AM

Target start:: None

Target end:: None

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide