networking-ovn

port range get misused for ICMP/ICMPv6 in acl_protocol_and_ports

Bug #1589807 reported by ZongKai LI
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-ovn
Fix Released
Undecided
ZongKai LI

Bug Description

for ICMP or ICMPv6, creating security group rules with --port-range-min MIN and --port-range-max MAX will get rules with certain type and code for ICMP or ICMPv6.
e.g.
>> neutron security-group-rule-create SG --protocol icmp --ethertype ipv6 --port-range-min 128 --port-range-max 0
>> neutron security-group-rule-create SG --protocol icmp --ethertype ipv6 --port-range-min 138 --port-range-max 1
>> neutron security-group-rule-create SG --protocol icmp --ethertype ipv4 --port-range-min 1 --port-range-max 1
>> neutron security-group-rule-list
+--------------------------------------+----------------+-----------+-----------+-------------------------+-----------------+
| id | security_group | direction | ethertype | port/protocol | remote |
+--------------------------------------+----------------+-----------+-----------+-------------------------+-----------------+
| 0ca96cf1-302a-461a-8dfd-94e7704d8439 | default | ingress | IPv4 | icmp (type:1, code:1) | any |
| 10b05122-b8c4-4d3a-b962-8a275bdca14f | default | ingress | IPv6 | icmp (type:138, code:1) | any |
| eccffca3-6a3d-40e1-a5da-a740c5fdb3e3 | default | ingress | IPv6 | icmp (type:128, code:0) | any |
...

(the output result of command "security-group-rule-create" is confused. But this bug report is not for that.)

Current code in acl_protocol_and_ports will treat icmp.code and icmp.type like port range for TCP/UDP, and that will generate lflows with match containing:
  - "icmp4 && icmp4.type == 1",
  - "icmp6 && icmp6.type >= 128",
  - "icmp6 && icmp6.type >= 138 && icmp6.type <= 1".

Later in ovn-controller side, lflows have match like above will cause error such as:
  - Only == and != operators may be used with nominal field icmp6.type.
  - Only == and != operators may be used with nominal field icmp4.type.

The error message may confuse people try to consider using "icmp4.type = {...types...}". But indeed, in acl_protocol_and_ports, port_range_min/max should be considered as icmp.type and icmp.code.

ZongKai LI (zongkai)
Changed in networking-ovn:
assignee: nobody → ZongKai LI (lzklibj)
OpenStack Infra (hudson-openstack)
Changed in networking-ovn:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (master)

Reviewed: https://review.openstack.org/325733
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=80745bc1c5c1fc78172a853a6370661261f8cf23
Submitter: Jenkins
Branch: master

commit 80745bc1c5c1fc78172a853a6370661261f8cf23
Author: lzklibj <email address hidden>
Date: Mon Jun 6 13:58:22 2016 +0800

    Fix port range for icmp type

    In method acl_protocol_and_ports method, it's using
    "ICMPX.type >= Type-code" and "ICMPX.type <= Type-code", where ICMPX
    could be "icmp4" or "icmp6".

    But for ICMP or ICMPv6, port_range_min/max in acl_protocol_and_ports
    should be considered as icmp.type and icmp.code.

    This patch tries to fix that.

    Closes-Bug: #1589807
    Change-Id: I634095ad3a6cf1c723767ff7ea2814f692e0931e

Changed in networking-ovn:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.