|
When configuring a TCP security rule (probably also relevant for UDP), with all ports, OpenStack automatically creates a TCP rule with a port range of 1-65535
This results in a large number of rules configured, matching various tp_dsts (by the way why is tp_dst and not tcp_dst used?)
Instead, this special case should result in a single rule without any tp_dst match AT ALL.
Same for UDP.
This was tested using "learn" security groups, but is part of the generic case and is relevant for other sg implementations as well.
> cookie=0x6900000, duration=3475.357s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x100/0xff00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.347s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x8/0xfff8 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.341s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x20/0xffe0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.322s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x8000/0x8000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.292s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x4/0xfffc actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.281s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x40/0xffc0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.274s, table=253, n_packets=146, n_bytes=22389, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x10/0xfff0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.271s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x2/0xfffe actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.264s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x4000/0xc000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.263s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x800/0xf800 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.259s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x1000/0xf000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.253s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=1 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.252s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x2000/0xe000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.245s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x400/0xfc00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.242s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x200/0xfe00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.236s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x80/0xff80 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
|