neutron

Do not pass port-range to backend if all ports specified in security group rule

Bug #1848213 reported by Maciej Jozefczyk
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Slawek Kaplonski

Bug Description

If user creates a security group rule specifying all the ports, like above:

openstack security group rule create --protocol udp --ingress --dst-port 1:65535 47420676-21d8-4d82-b43c-73e100c5b397

the rule shouldn't be passed with ranges to the neutron ml2 backend. For some backends, like OVN, this leads to not optimal flows creation.

We have potentially two ways to solve this:
1) Do not accept such kind of requests (HTTP 400)
2) Modify the rule in-fly somewhere around _validate_port_range() in ./neutron/db/securitygroups_db.py to drop max and min ports, and accept all traffic for given protocol.

See original description
Tags: sg-fw
Revision history for this message
Maciej Jozefczyk (maciejjozefczyk) wrote :

For what I recognize some rally tasks depends on port-range from 1 to max, like:
https://github.com/openstack/rally-openstack/blob/master/rally_openstack/contexts/network/allow_ssh.py#L50

Which is bad, and we could have more things like this one.
I vote for 2)

description: updated
Changed in neutron:
assignee: nobody → Maciej Jozefczyk (maciej.jozefczyk)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/689050

Changed in neutron:
assignee: Maciej Jozefczyk (maciej.jozefczyk) → Brian Haley (brian-haley)
status: New → In Progress
Hongbin Lu (hongbin.lu)
tags: added: sg-fw
Changed in neutron:
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Brian Haley (brian-haley) → Slawek Kaplonski (slaweq)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/689050
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=26b8026cee1b83923744f1ca486a94d513f65964
Submitter: Zuul
Branch: master

commit 26b8026cee1b83923744f1ca486a94d513f65964
Author: Brian Haley <email address hidden>
Date: Wed Oct 16 17:30:08 2019 -0400

    Update security group rule if port range is all ports

    A security group rule where port_range_min:port_range_max
    is 1:65535 is specifying all ports, but it is not optimal
    for backends to try and implement this potentially large
    rule.

    Since it is essentially the entire port range, change
    min:max to be None, making the rule specify the entire
    protocol instead.

    Change-Id: Iff22e2fc84d679e20a5a04b8516750c6ea949078
    Closes-bug: #1848213

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.0.0.0b1

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.