neutron

Convert conntrack command properly when firewall rule has port range

Bug #1702242 reported by Vu Cong Tuan on 2017-07-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Akihiro Motoki

Bug Description

Current code only converts conntrack command from firewall rule properly
if the firewall rule contains only single port like:

`neutron firewall-rule-create --protocol tcp --action allow --ip-version
4 --destination-port 8777 --enabled True`

However, if the rule contains port range, which is possible when
creating firewall rule like this:

`neutron firewall-rule-create --protocol tcp --action allow --ip-version
4 --destination-port 8778:9000 --enabled True`

The conntrack command would look like:

['ip', 'netns', 'exec', 'qrouter-7bab1e53-0330-41af-8e98-b925d1a76984',
'conntrack', '-D', '-p', 'tcp', '-f', 'ipv4', '--dport', '8778:9000']

Conntrack-tools does not understand the option `--dport 8778:9000`, it
instead applies above command to port 8778 only, which is not expected.

This Patch Set fixes that issue by following the same method in
netlink implementation [1]

[1] https://review.openstack.org/#/c/438445/

Tags:

OpenStack Infra (hudson-openstack) on 2017-07-04

Changed in neutron:
assignee:	nobody → Vu Cong Tuan (tuan.vu)
status:	New → In Progress

Cao Xuan Hoang (hoangcx) on 2017-07-04

tags:

added: fwaas

OpenStack Infra (hudson-openstack) on 2017-07-19

Changed in neutron:
assignee:	Vu Cong Tuan (tuan.vu) → Reedip (reedip-banerjee)

OpenStack Infra (hudson-openstack) on 2017-07-24

Changed in neutron:
assignee:	Reedip (reedip-banerjee) → Vu Cong Tuan (tuan.vu)

OpenStack Infra (hudson-openstack) on 2017-08-18

Changed in neutron:
assignee:	Vu Cong Tuan (tuan.vu) → Akihiro Motoki (amotoki)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-23: Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/443385
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=f589293aeca733501fa7cab0268dd8440e19ebf5
Submitter: Jenkins
Branch: master

commit f589293aeca733501fa7cab0268dd8440e19ebf5
Author: Cuong Nguyen <email address hidden>
Date: Thu Mar 9 09:14:14 2017 +0700

FW rule applied incorrectly if port specified is a range

    When creating a firewall rule with port specified as a range of values,
    e.g. [1], conntrack command for deleting current conntrack entries is
    applied to the first number in the range, e.g. port #8778 in [1],
    instead of the range of ports 8778:9000.

    This incorrect behavior occurs because conntrack-tools
    does not understand the port as a range of values.
    This patch set fixes that issue by following the same method as done
    in the netlink implementation in [2].

    [1] "neutron firewall-rule-create --protocol tcp --action allow
    --ip-version 4 --destination-port 8778:9000 --enabled True"
    [2] https://review.openstack.org/#/c/438445/

    Closes-Bug: #1702242
    Co-Authored-By: Vu Cong Tuan <email address hidden>
    Change-Id: Ib17db09069a07f35109357d20b67b1acfa85c1a4

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-25: Fix included in openstack/neutron-fwaas 12.0.0.0b1

This issue was fixed in the openstack/neutron-fwaas 12.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.