yahoo-eng-team team mailing list archive

[OpenStack Infra <1848213@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/689050
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=26b8026cee1b83923744f1ca486a94d513f65964
Submitter: Zuul
Branch:    master

commit 26b8026cee1b83923744f1ca486a94d513f65964
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date:   Wed Oct 16 17:30:08 2019 -0400

    Update security group rule if port range is all ports
    
    A security group rule where port_range_min:port_range_max
    is 1:65535 is specifying all ports, but it is not optimal
    for backends to try and implement this potentially large
    rule.
    
    Since it is essentially the entire port range, change
    min:max to be None, making the rule specify the entire
    protocol instead.
    
    Change-Id: Iff22e2fc84d679e20a5a04b8516750c6ea949078
    Closes-bug: #1848213


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1848213

Title:
  Do not pass port-range to backend if all ports specified in security
  group rule

Status in neutron:
  Fix Released

Bug description:
  If user creates a security group rule specifying all the ports, like
  above:

  openstack security group rule create --protocol udp --ingress --dst-
  port 1:65535 47420676-21d8-4d82-b43c-73e100c5b397

  the rule shouldn't be passed with ranges to the neutron ml2 backend.
  For some backends, like OVN, this leads to not optimal flows creation.

  We have potentially two ways to solve this:
  1) Do not accept such kind of requests (HTTP 400)
  2) Modify the rule in-fly somewhere around _validate_port_range() in ./neutron/db/securitygroups_db.py to drop max and min ports, and accept all traffic for given protocol.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1848213/+subscriptions