"portRangeMax" Configuration Does Not Work When "all" Protocol is Set in Security Group about kube-ovn HOT 13 CLOSED

After gaining some background knowledge, I think the standard security group simply don't allow "all" protocol work with port range. Since "ICMP" isn't related to any port.

from kube-ovn.

could you please show the telnet ip:8000?

from kube-ovn.

apiVersion: kubeovn.io/v1
kind: SecurityGroup
metadata:
creationTimestamp: "2024-04-16T03:10:32Z"
generation: 29
name: user-2355-i-njwpuvj7k528-firewall-sg
resourceVersion: "558092262"
uid: 53d72488-993e-4c73-ad44-6a13421f2559
spec:
ingressRules:

• ipVersion: ipv4
  policy: allow
  portRangeMax: 8000
  portRangeMin: 8000
  priority: 101
  protocol: all
  remoteAddress: 0.0.0.0/0
  remoteType: address
• ipVersion: ipv4
  policy: deny
  priority: 161
  protocol: ALL
  remoteAddress: 0.0.0.0/0
  remoteType: address
• ipVersion: ipv4
  policy: allow
  priority: 160
  protocol: ALL
  remoteAddress: 172.16.0.0/11
  remoteType: address
• ipVersion: ipv4
  policy: allow
  priority: 160
  protocol: ALL
  remoteAddress: 10.0.0.0/8
  remoteType: address
  status:
  allowSameGroupTraffic: false
  egressLastSyncSuccess: true
  egressMd5: d751713988987e9331980363e24189ce
  ingressLastSyncSuccess: true
  ingressMd5: e4fc8be826456f64c73f9a848abb560f
  portGroup: ovn.sg.user.2355.i.njwpuvj7k528.firewall.sg

from kube-ovn.

The same time I can ssh connect to 22 port, which should be blocked by the ingress rules.
However, if you change "all" to "tcp", the ssh will be disconnected immediately.

from kube-ovn.

could you please show the telnet ip:8000?

your image means the 8000 port is ok , which is works, do i miss something ？

from kube-ovn.

could you please show the telnet ip:8000?

your image means the 8000 port is ok , which is works, do i miss something ？

The real problem is if you set a server listen to port 7000, it works either. I just do telnet ip 8000 as you demand.

from kube-ovn.

could you please show the telnet ip:8000?

your image means the 8000 port is ok , which is works, do i miss something ？

The real problem is if you set a server listen to port 7000, it works either. I just do telnet ip 8000 as you demand.

ok， i get it.

from kube-ovn.

if you do not set the 8000 allow ingressRules, do ip:8000 could be accessed?

from kube-ovn.

if you do not set the 8000 allow ingressRules, do ip:8000 could be accessed?

No. Because I have a rule with lower priority to deny all ingress traffic.

ipVersion: ipv4
policy: deny
priority: 161
protocol: ALL
remoteAddress: 0.0.0.0/0
remoteType: address

I wish to only allow port 8000 ingress traffic by set another rule, however, it seems to allow all ports. But if you set "udp" or "tcp", it will work as expected.

from kube-ovn.

it looks like it is a OVN bug

from kube-ovn.

Interesting. So shall we open an issue to OVN? Is there any way to fix it temprorally?
BTW, if there are some interested issue you think I can help, you can assign it to me. I would like to help. Recently, I'm hoping to get more familiar with kube-ovn.

from kube-ovn.

Is there any way to fix it temprorally?
use TCP or udp, not all, as you said.

from kube-ovn.

you can try to attach this issue in ovn GitHub issues for some help.

from kube-ovn.