← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #80376

[Bug 1848213] [NEW] Do not pass port-range to backend if all ports specified in security group rule

  Thread PreviousDate PreviousThread Next 
Public bug reported:

If user creates a security group rule specifying all the ports, like
above:

openstack security group rule create --protocol udp --ingress --dst-port
1:65535 47420676-21d8-4d82-b43c-73e100c5b397

the rule shouldn't be passed with ranges to the neutron ml2 backend. For
some backends, like OVN, this leads to not optimal flows creation.

We have potentially two ways to solve this:
1) Do not accept such kind of requests (HTTP 400)
2) Modify the rule in-fly somewhere around _validate_port_range() in ./neutron/db/securitygroups_db.py to drop max and min ports, and accept all traffic for given protocol.

** Affects: neutron
     Importance: Undecided
     Assignee: Maciej Jozefczyk (maciej.jozefczyk)
         Status: New

** Description changed:

- If user creates a security group rule specyfing all the ports, like
+ If user creates a security group rule specifying all the ports, like
  above:
  
  openstack security group rule create --protocol udp --ingress --dst-port
  1:65535 47420676-21d8-4d82-b43c-73e100c5b397
  
  the rule shouldn't be passed with ranges to the neutron ml2 backend. For
  some backends, like OVN, this leads to not optimal flows creation.
  
  We have potentially two ways to solve this:
  1) Do not accept such kind of requests (HTTP 400)
  2) Modify the rule in-fly somewhere around _validate_port_range() in ./neutron/db/securitygroups_db.py to drop max and min ports, and accept all traffic for given protocol.

** Changed in: neutron
     Assignee: (unassigned) => Maciej Jozefczyk (maciej.jozefczyk)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1848213

Title:
  Do not pass port-range to backend if all ports specified in security
  group rule

Status in neutron:
  New

Bug description:
  If user creates a security group rule specifying all the ports, like
  above:

  openstack security group rule create --protocol udp --ingress --dst-
  port 1:65535 47420676-21d8-4d82-b43c-73e100c5b397

  the rule shouldn't be passed with ranges to the neutron ml2 backend.
  For some backends, like OVN, this leads to not optimal flows creation.

  We have potentially two ways to solve this:
  1) Do not accept such kind of requests (HTTP 400)
  2) Modify the rule in-fly somewhere around _validate_port_range() in ./neutron/db/securitygroups_db.py to drop max and min ports, and accept all traffic for given protocol.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1848213/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next