yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82055
[Bug 1869129] [NEW] neutron accepts CIDR in security groups that are invalid in ovn
Public bug reported:
We have found that there are some CIDR accepted by neutron, which does
not work in networking ovn. Specifically, these are network CIDRs with
the host bits set.
Steps to reproduce
- Create VM. Attach a floating IP to it
- Remove all security group. Attach a blank security group to it
- Add a security group rule and start ping
For example, if my IP is 10.10.10.175/26 (first 3 octets changed for
privacy), the following security rules work
openstack security group rule create --protocol icmp --remote-ip 10.10.10.175/32 cidr
openstack security group rule create --protocol icmp --remote-ip 10.10.10.128/26 cidr
However, the following security group rule do not work
openstack security group rule create --protocol icmp --remote-ip
10.10.10.175/26 cidr
FWIW, in our testing, CIDRs like 10.10.10.175/26 work in other drivers,
like linuxbridge and midonet.
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
We have found that there are some CIDR accepted by neutron, which does
not work in networking ovn. Specifically, these are network CIDRs with
the host bits set.
Steps to reproduce
- Create VM. Attach a floating IP to it
- Remove all security group. Attach a blank security group to it
- Add a security group rule and start ping
- For example, if my IP is 10.10.10.175/26 (first 3 bits changed for
+ For example, if my IP is 10.10.10.175/26 (first 3 octets changed for
privacy), the following security rules work
openstack security group rule create --protocol icmp --remote-ip 10.10.10.175/32 cidr
openstack security group rule create --protocol icmp --remote-ip 10.10.10.128/26 cidr
However, the following security group rule do not work
openstack security group rule create --protocol icmp --remote-ip
10.10.10.175/26 cidr
-
- FWIW, in our testing, CIDRs like 10.10.10.175/26 work in other drivers, like linuxbridge and midonet.
+ FWIW, in our testing, CIDRs like 10.10.10.175/26 work in other drivers,
+ like linuxbridge and midonet.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1869129
Title:
neutron accepts CIDR in security groups that are invalid in ovn
Status in neutron:
New
Bug description:
We have found that there are some CIDR accepted by neutron, which does
not work in networking ovn. Specifically, these are network CIDRs with
the host bits set.
Steps to reproduce
- Create VM. Attach a floating IP to it
- Remove all security group. Attach a blank security group to it
- Add a security group rule and start ping
For example, if my IP is 10.10.10.175/26 (first 3 octets changed for
privacy), the following security rules work
openstack security group rule create --protocol icmp --remote-ip 10.10.10.175/32 cidr
openstack security group rule create --protocol icmp --remote-ip 10.10.10.128/26 cidr
However, the following security group rule do not work
openstack security group rule create --protocol icmp --remote-ip
10.10.10.175/26 cidr
FWIW, in our testing, CIDRs like 10.10.10.175/26 work in other
drivers, like linuxbridge and midonet.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1869129/+subscriptions
Follow ups
