← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #36085

[Bug 1473965] Re: sg rules with port-range-min 0 are not processed correctly

  Thread PreviousDate PreviousThread Next 
** Changed in: neutron
       Status: Fix Committed => Fix Released

** Changed in: neutron
    Milestone: None => liberty-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1473965

Title:
  sg rules with port-range-min 0 are not processed correctly

Status in neutron:
  Fix Released

Bug description:
  The original bug report pointed out that port-range-min 0 is not processed correctly
  and the bug reporter reports port-range-min 0 should not be allowed (as described below).
  Through the discussion in this bug report, our consensus are:
  - we don't change the security group API. this means port-range-min 0 is kept valid.
  - port-range-min 0 is not processed correctly in the security group RPC module.
    When port-range-min is 0, remote_ip_prefix is not populated in RPC messages to L2 agents
  - we also need to update iptables firewall driver in L2 agent to handle port-range-min 0 appropriately.

  ---

  for TCP or UDP protocol, 0 is a reserved port, but for neutron
  security group rule, if a rule with TCP protocol, and its port-range-
  min is 0, the port-range-max will be invalid, because for port-range-
  min being 0 means that it allow all package pass, so I think it should
  not create a rule with port-range-min being 0, if user want to allow
  all TCP/UDP package pass, he can create a security group rule with
  port-range-min and port-range-max being None.

  reproduce steps:
  1. create a sg rule with TCP/UDP, port-range-min=0, port-range-max=100
  2. we can find the iptables as bellow:

  ....
  ....

  -A neutron-openvswi-ie4c5bfaa-7 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
  -A neutron-openvswi-ie4c5bfaa-7 -m set --match-set NIPv475f523b5-5744-4961-a851- src -j RETURN
  -A neutron-openvswi-ie4c5bfaa-7 -p tcp -m tcp  -j RETURN

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1473965/+subscriptions

References

  Thread PreviousDate PreviousThread Next