From 147116b7b1ce20d3db9162702364028d3227de45 Mon Sep 17 00:00:00 2001
From: Nguyen Thanh Cong <ntcong1705@gmail.com>
Date: Thu, 26 Mar 2020 10:35:19 +0700
Subject: [PATCH] Fix error when apply rule with dst port large than src port

When apply firewall group to a port with rule have dest port large than
source port, neutron-openvswitch-agent raise error 'port_max' is smaller
than 'port_min'. It because key 'port_range_max' is assigned by
source_port_range_max. Fix hard code 'port_range_max' to key_max.

Change-Id: I32d9efd857932547a13d275b8a4f294e03fe7535
Closes-Bug: #1869121
---
 .../linux/l2/openvswitch_firewall/firewall.py |  2 +-
 .../l2/openvswitch_firewall/test_firewall.py  | 87 +++++++++++++++++++
 2 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py b/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py
index a317f9e4a..93c992d03 100644
--- a/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py
+++ b/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py
@@ -957,7 +957,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
                     return
                 ports = range_str.split(':', 1)
                 rule[key_min] = int(ports[0])
-                rule['port_range_max'] = (
+                rule[key_max] = (
                     int(ports[1]) if len(ports) == 2 else int(ports[0]))
 
             add_range('destination_port', 'port_range_min', 'port_range_max')
diff --git a/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_firewall.py b/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_firewall.py
index 8f78baa1a..7914f2fe6 100644
--- a/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_firewall.py
+++ b/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_firewall.py
@@ -694,3 +694,90 @@ class TestOVSFirewallDriver(base.BaseTestCase):
         self.mock_bridge.br.db_get_val.return_value = {}
         self.firewall._remove_egress_no_port_security('port_id')
         self.assertFalse(self.mock_bridge.br.delete_flows.called)
+
+    def test_add_flows_from_rules_with_dst_large_than_src_port(self):
+        port_dict = {
+            'device': 'port-id',
+            'firewall_group': 123,
+            'lvlan': TESTING_VLAN_TAG,
+        }
+        port = self.firewall.get_or_create_ofport(port_dict)
+        ingress_rules = [{
+                'ip_version': 4,
+                'source_port': '4000',
+                'destination_port': '7000',
+                'protocol': 6,
+                'direction': 'ingress',
+                'ethertype': 'IPv4',
+                'offset': 1,
+                'port_range_min': 7000,
+                'port_range_max': 7000,
+                'source_port_range_min': 4000,
+                'source_port_range_max': 4000
+        }, {
+                'ip_version': 6,
+                'source_port': '4000',
+                'destination_port': '7000',
+                'protocol': 6,
+                'direction': 'ingress',
+                'ethertype': 'IPv6',
+                'offset': 0,
+                'port_range_min': 7000,
+                'port_range_max': 7000,
+                'source_port_range_min': 4000,
+                'source_port_range_max': 4000
+        }]
+        egress_rules = [{
+            'ip_version': 4,
+            'source_port': '4000',
+            'destination_port': '7000',
+            'protocol': 6,
+            'direction': 'egress',
+            'ethertype': 'IPv4',
+            'offset': 1,
+            'port_range_min': 7000,
+            'port_range_max': 7000,
+            'source_port_range_min': 4000,
+            'source_port_range_max': 4000
+        }, {
+            'ip_version': 6,
+            'source_port': '4000',
+            'destination_port': '7000',
+            'protocol': 6,
+            'direction': 'egress',
+            'ethertype': 'IPv6',
+            'offset': 0,
+            'port_range_min': 7000,
+            'port_range_max': 7000,
+            'source_port_range_min': 4000,
+            'source_port_range_max': 4000
+        }]
+        port.fw_group.ingress_rules = [{
+                'ip_version': 4,
+                'source_port': '4000',
+                'destination_port': '7000',
+                'protocol': 6
+        },
+            {
+                'ip_version': 6,
+                'source_port': '4000',
+                'destination_port': '7000',
+                'protocol': 6
+        }
+        ]
+        port.fw_group.egress_rules = [{
+                'ip_version': 4,
+                'source_port': '4000',
+                'destination_port': '7000',
+                'protocol': 6
+        },
+            {
+                'ip_version': 6,
+                'source_port': '4000',
+                'destination_port': '7000',
+                'protocol': 6
+        }
+        ]
+        self.firewall.add_flows_from_rules(port)
+        self.assertEqual(ingress_rules, port.fw_group.ingress_rules)
+        self.assertEqual(egress_rules, port.fw_group.egress_rules)