port range get misused for ICMP/ICMPv6 in acl_protocol_and_ports
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-ovn |
Fix Released
|
Undecided
|
ZongKai LI |
Bug Description
for ICMP or ICMPv6, creating security group rules with --port-range-min MIN and --port-range-max MAX will get rules with certain type and code for ICMP or ICMPv6.
e.g.
>> neutron security-
>> neutron security-
>> neutron security-
>> neutron security-
+------
| id | security_group | direction | ethertype | port/protocol | remote |
+------
| 0ca96cf1-
| 10b05122-
| eccffca3-
...
(the output result of command "security-
Current code in acl_protocol_
- "icmp4 && icmp4.type == 1",
- "icmp6 && icmp6.type >= 128",
- "icmp6 && icmp6.type >= 138 && icmp6.type <= 1".
Later in ovn-controller side, lflows have match like above will cause error such as:
- Only == and != operators may be used with nominal field icmp6.type.
- Only == and != operators may be used with nominal field icmp4.type.
The error message may confuse people try to consider using "icmp4.type = {...types...}". But indeed, in acl_protocol_
Changed in networking-ovn: | |
assignee: | nobody → ZongKai LI (lzklibj) |
Changed in networking-ovn: | |
status: | New → In Progress |
Reviewed: https:/ /review. openstack. org/325733 /git.openstack. org/cgit/ openstack/ networking- ovn/commit/ ?id=80745bc1c5c 1fc78172a853a63 70661261f8cf23
Committed: https:/
Submitter: Jenkins
Branch: master
commit 80745bc1c5c1fc7 8172a853a637066 1261f8cf23
Author: lzklibj <email address hidden>
Date: Mon Jun 6 13:58:22 2016 +0800
Fix port range for icmp type
In method acl_protocol_ and_ports method, it's using
"ICMPX.type >= Type-code" and "ICMPX.type <= Type-code", where ICMPX
could be "icmp4" or "icmp6".
But for ICMP or ICMPv6, port_range_min/max in acl_protocol_ and_ports
should be considered as icmp.type and icmp.code.
This patch tries to fix that.
Closes-Bug: #1589807 c723767ff7ea281 4f692e0931e
Change-Id: I634095ad3a6cf1