← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1869121] Re: [FWaaS] Can't add rule with destination_port large than source_port

 

Reviewed:  https://review.opendev.org/c/openstack/neutron-fwaas/+/715117
Committed: https://opendev.org/openstack/neutron-fwaas/commit/147116b7b1ce20d3db9162702364028d3227de45
Submitter: "Zuul (22348)"
Branch:    master

commit 147116b7b1ce20d3db9162702364028d3227de45
Author: Nguyen Thanh Cong <ntcong1705@xxxxxxxxx>
Date:   Thu Mar 26 10:35:19 2020 +0700

    Fix error when apply rule with dst port large than src port
    
    When apply firewall group to a port with rule have dest port large than
    source port, neutron-openvswitch-agent raise error 'port_max' is smaller
    than 'port_min'. It because key 'port_range_max' is assigned by
    source_port_range_max. Fix hard code 'port_range_max' to key_max.
    
    Change-Id: I32d9efd857932547a13d275b8a4f294e03fe7535
    Closes-Bug: #1869121


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1869121

Title:
  [FWaaS] Can't add rule with destination_port large than source_port

Status in neutron:
  Fix Released

Bug description:
  When i create a rule with destination port large than source_port and
  apply it to a port, neutron-openvswitch-agent get error.

  Reproduce:
  1. Create Rule with destination port > source_port
  openstack firewall group rule create --protocol tcp --action allow --source-ip-address 192.168.58.139 --destination-ip-address 192.168.57.108 --source-port 5000 --destination-port 5500  --name test2

  2. Apply it to firewall group policy
  openstack firewall group policy set --firewall-rule test-2 fw-gr-policy-test

  3. Apply firewall group policy to firewall group (ingress or egress 
  same)
  openstack firewall group set --ingress-firewall-policy fw-gr-policy-test fw-gr-test

  4. Apply fw group to a port
  openstack firewall group set --port port-test fw-gr-test

  5. Check log neutron-openvswitch-agent on node port reside

  
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-86194ab1-4f71-4c5d-9c2c-bbb9d92599d8 - - - - -] Error while process[3015/90399]
  s: ValueError: 'port_max' is smaller than 'port_min'                                                                                                                                   2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2545, in rpc_loop
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     port_info, provisioning_needed)                                                 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent
  /ovs_neutron_agent.py", line 1998, in process_network_ports                                                                                                                            2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     devices_added_updated, provisioning_needed))
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 1885, in treat_devices_added_or_updated
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.ext_manager.handle_port(self.context, details)                             2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python3/dist-packages/neutron/agent/l2/l2_agent_extensions_manager.
  py", line 42, in handle_port                                                                                                                                                           2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     extension.obj.handle_port(context, data)
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python3/dist-packages/oslo_concurrency/lockutils.py", line 328, in inner
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     return f(*args, **kwargs)                                                       2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
  ce_drivers/agents/l2/fwaas_v2.py", line 361, in handle_port                                                                                                                            2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     ret = self._apply_fwg_rules(fwg, [port])
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/service_drivers/agents/l2/fwaas_v2.py", line 218, in _apply_fwg_rules
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.driver.update_firewall_group(ports_for_driver, fwg)                        2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
  ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 1016, in update_firewall_group                                                                              2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.create_firewall_group(ports_for_fwg, firewall_group)
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 1013, in create_firewall_group
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.update_port_filter(port)                                                   2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
  ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 396, in update_port_filter                                                                                  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.add_flows_from_rules(of_port)
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 924, in add_flows_from_rules
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     flows = rules.create_flows_from_rule_and_port(rule, port)                       2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
  ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py", line 80, in create_flows_from_rule_and_port                                                                         2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     flows = create_protocol_flows(direction, flow_template, port, rule)
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
  ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py", line 113, in create_protocol_flows
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     flows = create_port_range_flows(flow_template, rule)
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
  ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py", line 140, in create_port_range_flows
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     dst_port_range = utils.port_rule_masking(dst_port_min, dst_port_max)
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "/usr/lib/python3/dist-packages/neutron/common/utils.py", line 568, in port_r
  ule_masking
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     raise ValueError(_("'port_max' is smaller than 'port_min'"))
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent ValueError: 'port_max' is smaller than 'port_min'
  2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1869121/+subscriptions



References