Comment 0 for bug 1612235

When using the native OVS firewall driver, security rules are not generated correctly.

For example if a security rule is added to allow traffic on port 22 and protocol TCP, the port 23 is also allowed due to the incorrect generation of port ranges.

The user using OVS firewall driver is unaware of the fact that traffic on port 23 is allowed, since the security groups report that only port 22 is open.

Output for the nova security group rules:
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+

Flow added in OVS on the host:
 cookie=0xa1e95f1bc2f3773a, duration=3.338s, table=82, n_packets=0, n_bytes=0, idle_age=3, priority=70,ct_state=+new-est,tcp,reg5=0xa04,dl_dst=fa:16:3e:c0:1c:46,tp_dst=0x16/0xfffe

Expected output: Only traffic on port 22 was expected to be allowed.
Actual output: Traffic on port 22 and 23 is allowed.

The algorithm used here causes this issue:
https://github.com/openstack/neutron/blob/master/neutron/common/utils.py#L444-L517