Convert conntrack command properly when firewall rule has port range
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
Akihiro Motoki |
Bug Description
Current code only converts conntrack command from firewall rule properly
if the firewall rule contains only single port like:
`neutron firewall-
4 --destination-port 8777 --enabled True`
However, if the rule contains port range, which is possible when
creating firewall rule like this:
`neutron firewall-
4 --destination-port 8778:9000 --enabled True`
The conntrack command would look like:
['ip', 'netns', 'exec', 'qrouter-
'conntrack', '-D', '-p', 'tcp', '-f', 'ipv4', '--dport', '8778:9000']
Conntrack-tools does not understand the option `--dport 8778:9000`, it
instead applies above command to port 8778 only, which is not expected.
This Patch Set fixes that issue by following the same method in
netlink implementation [1]
Changed in neutron: | |
assignee: | nobody → Vu Cong Tuan (tuan.vu) |
status: | New → In Progress |
tags: | added: fwaas |
Changed in neutron: | |
assignee: | Vu Cong Tuan (tuan.vu) → Reedip (reedip-banerjee) |
Changed in neutron: | |
assignee: | Reedip (reedip-banerjee) → Vu Cong Tuan (tuan.vu) |
Changed in neutron: | |
assignee: | Vu Cong Tuan (tuan.vu) → Akihiro Motoki (amotoki) |
Reviewed: https:/ /review. openstack. org/443385 /git.openstack. org/cgit/ openstack/ neutron- fwaas/commit/ ?id=f589293aeca 733501fa7cab026 8dd8440e19ebf5
Committed: https:/
Submitter: Jenkins
Branch: master
commit f589293aeca7335 01fa7cab0268dd8 440e19ebf5
Author: Cuong Nguyen <email address hidden>
Date: Thu Mar 9 09:14:14 2017 +0700
FW rule applied incorrectly if port specified is a range
When creating a firewall rule with port specified as a range of values,
e.g. [1], conntrack command for deleting current conntrack entries is
applied to the first number in the range, e.g. port #8778 in [1],
instead of the range of ports 8778:9000.
This incorrect behavior occurs because conntrack-tools
does not understand the port as a range of values.
This patch set fixes that issue by following the same method as done
in the netlink implementation in [2].
[1] "neutron firewall- rule-create --protocol tcp --action allow /review. openstack. org/#/c/ 438445/
--ip-version 4 --destination-port 8778:9000 --enabled True"
[2] https:/
Closes-Bug: #1702242 35109357d20b67b 1acfa85c1a4
Co-Authored-By: Vu Cong Tuan <email address hidden>
Change-Id: Ib17db09069a07f