Public bug reported: Current code only converts conntrack command from firewall rule properly if the firewall rule contains only single port like:
`neutron firewall-rule-create --protocol tcp --action allow --ip-version 4 --destination-port 8777 --enabled True` However, if the rule contains port range, which is possible when creating firewall rule like this: `neutron firewall-rule-create --protocol tcp --action allow --ip-version 4 --destination-port 8778:9000 --enabled True` The conntrack command would look like: ['ip', 'netns', 'exec', 'qrouter-7bab1e53-0330-41af-8e98-b925d1a76984', 'conntrack', '-D', '-p', 'tcp', '-f', 'ipv4', '--dport', '8778:9000'] Conntrack-tools does not understand the option `--dport 8778:9000`, it instead applies above command to port 8778 only, which is not expected. This Patch Set fixes that issue by following the same method in netlink implementation [1] [1] https://review.openstack.org/#/c/438445/ ** Affects: neutron Importance: Undecided Assignee: Vu Cong Tuan (tuan.vu) Status: In Progress ** Tags: fwaas -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1702242 Title: Convert conntrack command properly when firewall rule has port range Status in neutron: In Progress Bug description: Current code only converts conntrack command from firewall rule properly if the firewall rule contains only single port like: `neutron firewall-rule-create --protocol tcp --action allow --ip-version 4 --destination-port 8777 --enabled True` However, if the rule contains port range, which is possible when creating firewall rule like this: `neutron firewall-rule-create --protocol tcp --action allow --ip-version 4 --destination-port 8778:9000 --enabled True` The conntrack command would look like: ['ip', 'netns', 'exec', 'qrouter-7bab1e53-0330-41af-8e98-b925d1a76984', 'conntrack', '-D', '-p', 'tcp', '-f', 'ipv4', '--dport', '8778:9000'] Conntrack-tools does not understand the option `--dport 8778:9000`, it instead applies above command to port 8778 only, which is not expected. This Patch Set fixes that issue by following the same method in netlink implementation [1] [1] https://review.openstack.org/#/c/438445/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1702242/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
