yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1702242] [NEW] Convert conntrack command properly when firewall rule has port range

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Vu Cong Tuan <1702242@xxxxxxxxxxxxxxxxxx>
Date: Tue, 04 Jul 2017 08:08:05 -0000
Reply-to: Bug 1702242 <1702242@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Current code only converts conntrack command from firewall rule properly
if the firewall rule contains only single port like:

`neutron firewall-rule-create --protocol tcp --action allow --ip-version
4 --destination-port 8777 --enabled True`

However, if the rule contains port range, which is possible when
creating firewall rule like this:

`neutron firewall-rule-create --protocol tcp --action allow --ip-version
4 --destination-port 8778:9000 --enabled True`

The conntrack command would look like:

['ip', 'netns', 'exec', 'qrouter-7bab1e53-0330-41af-8e98-b925d1a76984',
'conntrack', '-D', '-p', 'tcp', '-f', 'ipv4', '--dport', '8778:9000']

Conntrack-tools does not understand the option `--dport 8778:9000`, it
instead applies above command to port 8778 only, which is not expected.

This Patch Set fixes that issue by following the same method in
netlink implementation [1]

[1] https://review.openstack.org/#/c/438445/

** Affects: neutron
     Importance: Undecided
     Assignee: Vu Cong Tuan (tuan.vu)
         Status: In Progress


** Tags: fwaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1702242

Title:
  Convert conntrack command properly when firewall rule has port range

Status in neutron:
  In Progress

Bug description:
  Current code only converts conntrack command from firewall rule properly
  if the firewall rule contains only single port like:

  `neutron firewall-rule-create --protocol tcp --action allow --ip-version
  4 --destination-port 8777 --enabled True`

  However, if the rule contains port range, which is possible when
  creating firewall rule like this:

  `neutron firewall-rule-create --protocol tcp --action allow --ip-version
  4 --destination-port 8778:9000 --enabled True`

  The conntrack command would look like:

  ['ip', 'netns', 'exec', 'qrouter-7bab1e53-0330-41af-8e98-b925d1a76984',
  'conntrack', '-D', '-p', 'tcp', '-f', 'ipv4', '--dport', '8778:9000']

  Conntrack-tools does not understand the option `--dport 8778:9000`, it
  instead applies above command to port 8778 only, which is not expected.

  This Patch Set fixes that issue by following the same method in
  netlink implementation [1]

  [1] https://review.openstack.org/#/c/438445/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1702242/+subscriptions

Follow ups

[Bug 1702242] Re: Convert conntrack command properly when firewall rule has port range
From: OpenStack Infra, 2017-08-23