[NETVIRT-197] ACLs - TCP/UDP port ranges for the case of all ports (1-65535) should not use port masking at all Created: 10/Oct/16  Updated: 03/May/18  Resolved: 06/Dec/16

Status: Resolved
Project: netvirt
Component/s: General
Affects Version/s: Boron
Fix Version/s: None

Type: Bug
Reporter: Alon Kochba Assignee: Aswin Suryanarayanan
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


External issue ID: 6909

 Description   

When configuring a TCP security rule (probably also relevant for UDP), with all ports, OpenStack automatically creates a TCP rule with a port range of 1-65535

This results in a large number of rules configured, matching various tp_dsts (by the way why is tp_dst and not tcp_dst used?)
Instead, this special case should result in a single rule without any tp_dst match AT ALL.

Same for UDP.

This was tested using "learn" security groups, but is part of the generic case and is relevant for other sg implementations as well.

> cookie=0x6900000, duration=3475.357s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x100/0xff00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.347s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x8/0xfff8 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.341s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x20/0xffe0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.322s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x8000/0x8000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.292s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x4/0xfffc actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.281s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x40/0xffc0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.274s, table=253, n_packets=146, n_bytes=22389, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x10/0xfff0 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.271s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x2/0xfffe actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.264s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x4000/0xc000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.263s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x800/0xf800 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.259s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x1000/0xf000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.253s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=1 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.252s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x2000/0xe000 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.245s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x400/0xfc00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.242s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x200/0xfe00 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)
> cookie=0x6900000, duration=3475.236s, table=253, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x60000000000/0x1fffff0000000000,tp_dst=0x80/0xff80 actions=learn(table=41,idle_timeout=3600,hard_timeout=3600,fin_idle_timeout=60,fin_hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,220)



 Comments   
Comment by Aswin Suryanarayanan [ 18/Oct/16 ]

https://git.opendaylight.org/gerrit/#/c/46902/

Generated at Wed Feb 07 20:20:56 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.