[FWaaS] Can't add rule with destination_port large than source_port

Bug #1869121 reported by Nguyen Thanh Cong on 2020-03-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Low
Nguyen Thanh Cong

Bug Description

When i create a rule with destination port large than source_port and apply it to a port, neutron-openvswitch-agent get error.

Reproduce:
1. Create Rule with destination port > source_port
openstack firewall group rule create --protocol tcp --action allow --source-ip-address 192.168.58.139 --destination-ip-address 192.168.57.108 --source-port 5000 --destination-port 5500 --name test2

2. Apply it to firewall group policy
openstack firewall group policy set --firewall-rule test-2 fw-gr-policy-test

3. Apply firewall group policy to firewall group (ingress or egress
same)
openstack firewall group set --ingress-firewall-policy fw-gr-policy-test fw-gr-test

4. Apply fw group to a port
openstack firewall group set --port port-test fw-gr-test

5. Check log neutron-openvswitch-agent on node port reside

2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-86194ab1-4f71-4c5d-9c2c-bbb9d92599d8 - - - - -] Error while process[3015/90399]
s: ValueError: 'port_max' is smaller than 'port_min' 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2545, in rpc_loop
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent port_info, provisioning_needed) 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent
/ovs_neutron_agent.py", line 1998, in process_network_ports 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent devices_added_updated, provisioning_needed))
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python3/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 1885, in treat_devices_added_or_updated
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.ext_manager.handle_port(self.context, details) 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python3/dist-packages/neutron/agent/l2/l2_agent_extensions_manager.
py", line 42, in handle_port 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent extension.obj.handle_port(context, data)
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python3/dist-packages/oslo_concurrency/lockutils.py", line 328, in inner
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs) 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
ce_drivers/agents/l2/fwaas_v2.py", line 361, in handle_port 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent ret = self._apply_fwg_rules(fwg, [port])
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/service_drivers/agents/l2/fwaas_v2.py", line 218, in _apply_fwg_rules
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.driver.update_firewall_group(ports_for_driver, fwg) 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 1016, in update_firewall_group 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.create_firewall_group(ports_for_fwg, firewall_group)
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 1013, in create_firewall_group
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.update_port_filter(port) 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 396, in update_port_filter 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.add_flows_from_rules(of_port)
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py", line 924, in add_flows_from_rules
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent flows = rules.create_flows_from_rule_and_port(rule, port) 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py", line 80, in create_flows_from_rule_and_port 2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent flows = create_protocol_flows(direction, flow_template, port, rule)
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py", line 113, in create_protocol_flows
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent flows = create_port_range_flows(flow_template, rule)
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/local/lib/python3.6/dist-packages/neutron_fwaas/services/firewall/servi
ce_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py", line 140, in create_port_range_flows
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent dst_port_range = utils.port_rule_masking(dst_port_min, dst_port_max)
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python3/dist-packages/neutron/common/utils.py", line 568, in port_r
ule_masking
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent raise ValueError(_("'port_max' is smaller than 'port_min'"))
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent ValueError: 'port_max' is smaller than 'port_min'
2020-03-26 10:18:34.882 3365 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent

Fix proposed to branch: master
Review: https://review.opendev.org/715117

Changed in neutron:
assignee: nobody → Nguyen Thanh Cong (congnt95)
status: New → In Progress
description: updated
Hongbin Lu (hongbin.lu) wrote :

Just keep in mind that fwaas is deprecated as mentioned by https://review.opendev.org/#/c/708675/ .

tags: added: fwaas
Hongbin Lu (hongbin.lu) on 2020-03-29
Changed in neutron:
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers