yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74320
[Bug 1787420] [NEW] Floating ip association to router interface should be restricted
Public bug reported:
We found this bug using the vmware-nsx plugin, but should be applicable
to all plugins support L3.
Created devstack_master + vmware-nsx
Created router-interface and assigned fip's to router interface which is allowed.
I dont find any usecase to assign ip to router port other than its LB vip port.
Main reason for restricted this:
-> To remove unwanted entries of fip from neutron db.
-> To reduce overhead of using floating ip pool (other pool may get exhausted).
REPO STEPS:
myuser@kvm-compute-node1:~/devstack$ neutron router-port-list rtr3
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| id | name | tenant_id | mac_address | fixed_ips |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| 3318efcd-fcd1-4dda-bdde-4c8a19fbee3a | | | fa:16:3e:c1:00:fd | {"subnet_id": "afb2f79d-3c25-47de-a273-27bab2b78800", "ip_address": "172.24.0.19"} |
| 8fcda443-dd4d-431f-ba3d-fbd5764830d9 | | 00b7a6f394e946688c83545da6a27804 | fa:16:3e:9a:a1:3e | {"subnet_id": "7ff038d6-3b3c-4127-a45a-f135ac07f3bb", "ip_address": "3.0.100.1"} |
| f6d54233-a8aa-4304-bc16-20f0071dfc47 | | 00b7a6f394e946688c83545da6a27804 | fa:16:3e:99:35:61 | {"subnet_id": "c16dce8d-899e-45f7-b615-557c2e231ce5", "ip_address": "3.3.100.1"} |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
myuser@kvm-compute-node1:~/devstack$ neutron port-show 8fcda443-dd4d-431f-ba3d-fbd5764830d9
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------+------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------------------+------------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:vif_details | {"ovs_hybrid_plug": false, "nsx-logical-switch-id": "c1a562e9-54bd-4ca6-9071-d622155e7ee6", "port_filter": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2018-08-13T16:19:11Z |
| description | |
| device_id | 0fa3bbcd-2a24-4c1d-ba56-d7e2c88a60ba |
| device_owner | network:router_interface |
| dns_assignment | {"hostname": "host-3-0-100-1", "ip_address": "3.0.100.1", "fqdn": "host-3-0-100-1.somedom.org."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "7ff038d6-3b3c-4127-a45a-f135ac07f3bb", "ip_address": "3.0.100.1"} |
| id | 8fcda443-dd4d-431f-ba3d-fbd5764830d9 |
| mac_address | fa:16:3e:9a:a1:3e |
| name | |
| network_id | 186a719b-7ca8-485a-9869-3eb60ef62020 |
| port_security_enabled | False |
| project_id | 00b7a6f394e946688c83545da6a27804 |
| provider_security_groups | |
| qos_policy_id | |
| revision_number | 3 |
| security_groups | |
| status | ACTIVE |
| tags | |
| tenant_id | 00b7a6f394e946688c83545da6a27804 |
| updated_at | 2018-08-13T16:19:12Z |
+--------------------------+------------------------------------------------------------------------------------------------------------------+
myuser@kvm-compute-node1:~/devstack$ neutron floatingip-create --port-id=8fcda443-dd4d-431f-ba3d-fbd5764830d9 public
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| created_at | 2018-08-14T12:10:23Z |
| description | |
| dns_domain | |
| dns_name | |
| fixed_ip_address | 3.0.100.1 |
| floating_ip_address | 172.24.0.22 |
| floating_network_id | b07e294c-68d1-48aa-be7f-153d8957d16e |
| id | ecc1da5f-1323-4774-9667-0c5341534aa1 |
| port_id | 8fcda443-dd4d-431f-ba3d-fbd5764830d9 |
| project_id | 00b7a6f394e946688c83545da6a27804 |
| revision_number | 0 |
| router_id | 0fa3bbcd-2a24-4c1d-ba56-d7e2c88a60ba |
| status | ACTIVE |
| tags | |
| tenant_id | 00b7a6f394e946688c83545da6a27804 |
| updated_at | 2018-08-14T12:10:23Z |
+---------------------+--------------------------------------+
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1787420
Title:
Floating ip association to router interface should be restricted
Status in neutron:
New
Bug description:
We found this bug using the vmware-nsx plugin, but should be
applicable to all plugins support L3.
Created devstack_master + vmware-nsx
Created router-interface and assigned fip's to router interface which is allowed.
I dont find any usecase to assign ip to router port other than its LB vip port.
Main reason for restricted this:
-> To remove unwanted entries of fip from neutron db.
-> To reduce overhead of using floating ip pool (other pool may get exhausted).
REPO STEPS:
myuser@kvm-compute-node1:~/devstack$ neutron router-port-list rtr3
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| id | name | tenant_id | mac_address | fixed_ips |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| 3318efcd-fcd1-4dda-bdde-4c8a19fbee3a | | | fa:16:3e:c1:00:fd | {"subnet_id": "afb2f79d-3c25-47de-a273-27bab2b78800", "ip_address": "172.24.0.19"} |
| 8fcda443-dd4d-431f-ba3d-fbd5764830d9 | | 00b7a6f394e946688c83545da6a27804 | fa:16:3e:9a:a1:3e | {"subnet_id": "7ff038d6-3b3c-4127-a45a-f135ac07f3bb", "ip_address": "3.0.100.1"} |
| f6d54233-a8aa-4304-bc16-20f0071dfc47 | | 00b7a6f394e946688c83545da6a27804 | fa:16:3e:99:35:61 | {"subnet_id": "c16dce8d-899e-45f7-b615-557c2e231ce5", "ip_address": "3.3.100.1"} |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
myuser@kvm-compute-node1:~/devstack$ neutron port-show 8fcda443-dd4d-431f-ba3d-fbd5764830d9
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------+------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------------------+------------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:vif_details | {"ovs_hybrid_plug": false, "nsx-logical-switch-id": "c1a562e9-54bd-4ca6-9071-d622155e7ee6", "port_filter": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2018-08-13T16:19:11Z |
| description | |
| device_id | 0fa3bbcd-2a24-4c1d-ba56-d7e2c88a60ba |
| device_owner | network:router_interface |
| dns_assignment | {"hostname": "host-3-0-100-1", "ip_address": "3.0.100.1", "fqdn": "host-3-0-100-1.somedom.org."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "7ff038d6-3b3c-4127-a45a-f135ac07f3bb", "ip_address": "3.0.100.1"} |
| id | 8fcda443-dd4d-431f-ba3d-fbd5764830d9 |
| mac_address | fa:16:3e:9a:a1:3e |
| name | |
| network_id | 186a719b-7ca8-485a-9869-3eb60ef62020 |
| port_security_enabled | False |
| project_id | 00b7a6f394e946688c83545da6a27804 |
| provider_security_groups | |
| qos_policy_id | |
| revision_number | 3 |
| security_groups | |
| status | ACTIVE |
| tags | |
| tenant_id | 00b7a6f394e946688c83545da6a27804 |
| updated_at | 2018-08-13T16:19:12Z |
+--------------------------+------------------------------------------------------------------------------------------------------------------+
myuser@kvm-compute-node1:~/devstack$ neutron floatingip-create --port-id=8fcda443-dd4d-431f-ba3d-fbd5764830d9 public
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| created_at | 2018-08-14T12:10:23Z |
| description | |
| dns_domain | |
| dns_name | |
| fixed_ip_address | 3.0.100.1 |
| floating_ip_address | 172.24.0.22 |
| floating_network_id | b07e294c-68d1-48aa-be7f-153d8957d16e |
| id | ecc1da5f-1323-4774-9667-0c5341534aa1 |
| port_id | 8fcda443-dd4d-431f-ba3d-fbd5764830d9 |
| project_id | 00b7a6f394e946688c83545da6a27804 |
| revision_number | 0 |
| router_id | 0fa3bbcd-2a24-4c1d-ba56-d7e2c88a60ba |
| status | ACTIVE |
| tags | |
| tenant_id | 00b7a6f394e946688c83545da6a27804 |
| updated_at | 2018-08-14T12:10:23Z |
+---------------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1787420/+subscriptions
Follow ups
