Do not pass port-range to backend if all ports specified in security group rule
Bug #1848213 reported by
Maciej Jozefczyk
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
If user creates a security group rule specifying all the ports, like above:
openstack security group rule create --protocol udp --ingress --dst-port 1:65535 47420676-
the rule shouldn't be passed with ranges to the neutron ml2 backend. For some backends, like OVN, this leads to not optimal flows creation.
We have potentially two ways to solve this:
1) Do not accept such kind of requests (HTTP 400)
2) Modify the rule in-fly somewhere around _validate_
tags: | added: sg-fw |
Changed in neutron: | |
importance: | Undecided → Medium |
Changed in neutron: | |
assignee: | Brian Haley (brian-haley) → Slawek Kaplonski (slaweq) |
To post a comment you must log in.
For what I recognize some rally tasks depends on port-range from 1 to max, like: /github. com/openstack/ rally-openstack /blob/master/ rally_openstack /contexts/ network/ allow_ssh. py#L50
https:/
Which is bad, and we could have more things like this one.
I vote for 2)