When using the native OVS firewall driver, security rules are not generated correctly.
For example if a security rule is added to allow traffic on port 22 and protocol TCP, the port 23 is also allowed due to the incorrect generation of port ranges.
The user using OVS firewall driver is unaware of the fact that traffic on port 23 is allowed, since the security groups report that only port 22 is open.
Output for the nova security group rules:
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
Flow added in OVS on the host:
cookie=0xa1e95f1bc2f3773a, duration=3.338s, table=82, n_packets=0, n_bytes=0, idle_age=3, priority=70,ct_state=+new-est,tcp,reg5=0xa04,dl_dst=fa:16:3e:c0:1c:46,tp_dst=0x16/0xfffe
Expected output: Only traffic on port 22 was expected to be allowed.
Actual output: Traffic on port 22 and 23 is allowed.
When using the native OVS firewall driver, security rules are not generated correctly.
For example if a security rule is added to allow traffic on port 22 and protocol TCP, the port 23 is also allowed due to the incorrect generation of port ranges.
The user using OVS firewall driver is unaware of the fact that traffic on port 23 is allowed, since the security groups report that only port 22 is open.
Output for the nova security group rules: ------- +------ -----+- ------- -+----- ------+ ------- ------- + ------- +------ -----+- ------- -+----- ------+ ------- ------- + ------- +------ -----+- ------- -+----- ------+ ------- ------- +
+------
| IP Protocol | From Port | To Port | IP Range | Source Group |
+------
| tcp | 22 | 22 | 0.0.0.0/0 | |
+------
Flow added in OVS on the host: 0xa1e95f1bc2f37 73a, duration=3.338s, table=82, n_packets=0, n_bytes=0, idle_age=3, priority= 70,ct_state= +new-est, tcp,reg5= 0xa04,dl_ dst=fa: 16:3e:c0: 1c:46,tp_ dst=0x16/ 0xfffe
cookie=
Expected output: Only traffic on port 22 was expected to be allowed.
Actual output: Traffic on port 22 and 23 is allowed.
The algorithm used here causes this issue: /github. com/openstack/ neutron/ blob/master/ neutron/ common/ utils.py# L444-L517
https:/