yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1869129] Re: neutron accepts CIDR in security groups that are invalid in ovn

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <1869129@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 Apr 2021 12:42:27 -0000
Reply-to: Bug 1869129 <1869129@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1869129

Title:
  neutron accepts CIDR in security groups that are invalid in ovn

Status in neutron:
  Fix Released

Bug description:
  We have found that there are some CIDR accepted by neutron, which does
  not work in networking ovn. Specifically, these are network CIDRs with
  the host bits set.

  Steps to reproduce

  - Create VM. Attach a floating IP to it

  - Remove all security group. Attach a blank security group to it

  - Add a security group rule and start ping

  For example, if my IP is 10.10.10.175/26 (first 3 octets changed for
  privacy), the following security rules work

  openstack security group rule create --protocol icmp --remote-ip 10.10.10.175/32 cidr
  openstack security group rule create --protocol icmp --remote-ip 10.10.10.128/26 cidr

  However, the following security group rule do not work

  openstack security group rule create --protocol icmp --remote-ip
  10.10.10.175/26 cidr

  FWIW, in our testing, CIDRs like 10.10.10.175/26 work in other
  drivers, like linuxbridge and midonet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1869129/+subscriptions

References

[Bug 1869129] [NEW] neutron accepts CIDR in security groups that are invalid in ovn
From: Jake Yip, 2020-03-26