yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #36085
[Bug 1473965] Re: sg rules with port-range-min 0 are not processed correctly
** Changed in: neutron
Status: Fix Committed => Fix Released
** Changed in: neutron
Milestone: None => liberty-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1473965
Title:
sg rules with port-range-min 0 are not processed correctly
Status in neutron:
Fix Released
Bug description:
The original bug report pointed out that port-range-min 0 is not processed correctly
and the bug reporter reports port-range-min 0 should not be allowed (as described below).
Through the discussion in this bug report, our consensus are:
- we don't change the security group API. this means port-range-min 0 is kept valid.
- port-range-min 0 is not processed correctly in the security group RPC module.
When port-range-min is 0, remote_ip_prefix is not populated in RPC messages to L2 agents
- we also need to update iptables firewall driver in L2 agent to handle port-range-min 0 appropriately.
---
for TCP or UDP protocol, 0 is a reserved port, but for neutron
security group rule, if a rule with TCP protocol, and its port-range-
min is 0, the port-range-max will be invalid, because for port-range-
min being 0 means that it allow all package pass, so I think it should
not create a rule with port-range-min being 0, if user want to allow
all TCP/UDP package pass, he can create a security group rule with
port-range-min and port-range-max being None.
reproduce steps:
1. create a sg rule with TCP/UDP, port-range-min=0, port-range-max=100
2. we can find the iptables as bellow:
....
....
-A neutron-openvswi-ie4c5bfaa-7 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ie4c5bfaa-7 -m set --match-set NIPv475f523b5-5744-4961-a851- src -j RETURN
-A neutron-openvswi-ie4c5bfaa-7 -p tcp -m tcp -j RETURN
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1473965/+subscriptions
References