Uploaded image for project: 'netvirt'
  1. netvirt
  2. NETVIRT-197

ACLs - TCP/UDP port ranges for the case of all ports (1-65535) should not use port masking at all

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Resolution: Done
    • Boron
    • None
    • General
    • None

    • Operating System: All
      Platform: All

    • 6909

    Description

      When configuring a TCP security rule (probably also relevant for UDP), with all ports, OpenStack automatically creates a TCP rule with a port range of 1-65535

      This results in a large number of rules configured, matching various tp_dsts (by the way why is tp_dst and not tcp_dst used?)
      Instead, this special case should result in a single rule without any tp_dst match AT ALL.

      Same for UDP.

      This was tested using "learn" security groups, but is part of the generic case and is relevant for other sg implementations as well.

      > cookie=0x6900000, duration=3475.357s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x100/0xff00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.347s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x8/0xfff8 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.341s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x20/0xffe0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.322s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x8000/0x8000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.292s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x4/0xfffc actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.281s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x40/0xffc0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.274s, table=253, n_packets=146, n_bytes=22389, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x10/0xfff0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.271s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x2/0xfffe actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.264s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x4000/0xc000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.263s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x800/0xf800 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.259s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x1000/0xf000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.253s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=1 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.252s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x2000/0xe000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.245s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x400/0xfc00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.242s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x200/0xfe00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
      > cookie=0x6900000, duration=3475.236s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x80/0xff80 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            aswins Aswin Suryanarayanan
            alonko@hpe.com Alon Kochba
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: