← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #66844

[Bug 1702242] Re: Convert conntrack command properly when firewall rule has port range

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/443385
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=f589293aeca733501fa7cab0268dd8440e19ebf5
Submitter: Jenkins
Branch:    master

commit f589293aeca733501fa7cab0268dd8440e19ebf5
Author: Cuong Nguyen <cuongnv@xxxxxxxxxxxxxx>
Date:   Thu Mar 9 09:14:14 2017 +0700

    FW rule applied incorrectly if port specified is a range
    
    When creating a firewall rule with port specified as a range of values,
    e.g. [1], conntrack command for deleting current conntrack entries is
    applied to the first number in the range, e.g. port #8778 in [1],
    instead of the range of ports 8778:9000.
    
    This incorrect behavior occurs because conntrack-tools
    does not understand the port as a range of values.
    This patch set fixes that issue by following the same method as done
    in the netlink implementation in [2].
    
    [1] "neutron firewall-rule-create --protocol tcp --action allow
    --ip-version 4 --destination-port 8778:9000 --enabled True"
    [2] https://review.openstack.org/#/c/438445/
    
    Closes-Bug: #1702242
    Co-Authored-By: Vu Cong Tuan <tuanvc@xxxxxxxxxxxxxx>
    Change-Id: Ib17db09069a07f35109357d20b67b1acfa85c1a4


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1702242

Title:
  Convert conntrack command properly when firewall rule has port range

Status in neutron:
  Fix Released

Bug description:
  Current code only converts conntrack command from firewall rule properly
  if the firewall rule contains only single port like:

  `neutron firewall-rule-create --protocol tcp --action allow --ip-version
  4 --destination-port 8777 --enabled True`

  However, if the rule contains port range, which is possible when
  creating firewall rule like this:

  `neutron firewall-rule-create --protocol tcp --action allow --ip-version
  4 --destination-port 8778:9000 --enabled True`

  The conntrack command would look like:

  ['ip', 'netns', 'exec', 'qrouter-7bab1e53-0330-41af-8e98-b925d1a76984',
  'conntrack', '-D', '-p', 'tcp', '-f', 'ipv4', '--dport', '8778:9000']

  Conntrack-tools does not understand the option `--dport 8778:9000`, it
  instead applies above command to port 8778 only, which is not expected.

  This Patch Set fixes that issue by following the same method in
  netlink implementation [1]

  [1] https://review.openstack.org/#/c/438445/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1702242/+subscriptions

References

  Thread PreviousDate PreviousThread Next