yahoo-eng-team team mailing list archive

[Sebastian Lohff <1959699@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Currently a user can allocate the gateway ip of an external network as a
floating ip. This is possible, as the only validation on a user
specified ip address is done by the ipam module, which checks that an ip
is in the range of the subnet(s) and that it is not already allocated.
Because OpenStack has no port for the external gateway the subnet of an
external network is marked as free.

This is a problem because now a user can allocate an IP address that
might be otherwise in use (externally of OpenStack / inside a provider
network). Depending on the network plugins used, the user could either
end up with an unusable floating ip or (in the worst case) create
something that arps for this IP and redirects traffic away from the
original gateway, causing an outage. Therefore I propose we forbid users
from allocating floatingips that are also the gateway ip in a floating
ip network. Note that OpenStack would not allocate the gateway ip
itself, as it only allocates from the subnet's allocation pool by
default.

To fix this I'd propose we either explicitly deny using the gateway ip
or require the user-specified IP for a subnet to be from the allocation
pool. I'd be happy to provide a patch once we have decided how to
approach this.

This can be recreated with a simple cli command: openstack floating ip
create $fip_network --floating-ip-address $gateway_ip_of_subnet

A similar bug was filed and fixed for putting routers into provider
networks: https://bugs.launchpad.net/neutron/+bug/1757482

Breaking testcase (neutron/tests/unit/extensions/test_l3.py):
class L3NatTestCaseBase(L3NatTestCaseMixin):
    def test_create_floatingip_on_external_subnet_gateway_fails(self):                                                  
        with self.subnet(cidr='11.0.0.0/24') as public_sub:                                                             
            self._set_net_external(public_sub['subnet']['network_id'])                                                  
            self._make_floatingip(                                                                                
                self.fmt,                                                                                               
                public_sub['subnet']['network_id'],                                                                     
                floating_ip=public_sub['subnet']['gateway_ip'],                                                         
                http_status=exc.HTTPBadRequest.code)

Preliminary discussion in IRC:
https://meetings.opendev.org/irclogs/%23openstack-neutron/%23openstack-neutron.2022-02-01.log.html#t2022-02-01T15:02:10

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1959699

Title:
  Disallow users to allocate gateway ip of external subnets as floating
  ip

Status in neutron:
  New

Bug description:
  Currently a user can allocate the gateway ip of an external network as
  a floating ip. This is possible, as the only validation on a user
  specified ip address is done by the ipam module, which checks that an
  ip is in the range of the subnet(s) and that it is not already
  allocated. Because OpenStack has no port for the external gateway the
  subnet of an external network is marked as free.

  This is a problem because now a user can allocate an IP address that
  might be otherwise in use (externally of OpenStack / inside a provider
  network). Depending on the network plugins used, the user could either
  end up with an unusable floating ip or (in the worst case) create
  something that arps for this IP and redirects traffic away from the
  original gateway, causing an outage. Therefore I propose we forbid
  users from allocating floatingips that are also the gateway ip in a
  floating ip network. Note that OpenStack would not allocate the
  gateway ip itself, as it only allocates from the subnet's allocation
  pool by default.

  To fix this I'd propose we either explicitly deny using the gateway ip
  or require the user-specified IP for a subnet to be from the
  allocation pool. I'd be happy to provide a patch once we have decided
  how to approach this.

  This can be recreated with a simple cli command: openstack floating ip
  create $fip_network --floating-ip-address $gateway_ip_of_subnet

  A similar bug was filed and fixed for putting routers into provider
  networks: https://bugs.launchpad.net/neutron/+bug/1757482

  Breaking testcase (neutron/tests/unit/extensions/test_l3.py):
  class L3NatTestCaseBase(L3NatTestCaseMixin):
      def test_create_floatingip_on_external_subnet_gateway_fails(self):                                                  
          with self.subnet(cidr='11.0.0.0/24') as public_sub:                                                             
              self._set_net_external(public_sub['subnet']['network_id'])                                                  
              self._make_floatingip(                                                                                
                  self.fmt,                                                                                               
                  public_sub['subnet']['network_id'],                                                                     
                  floating_ip=public_sub['subnet']['gateway_ip'],                                                         
                  http_status=exc.HTTPBadRequest.code)

  Preliminary discussion in IRC:
  https://meetings.opendev.org/irclogs/%23openstack-neutron/%23openstack-neutron.2022-02-01.log.html#t2022-02-01T15:02:10

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1959699/+subscriptions