← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #93260

[Bug 1959699] Re: Disallow users to allocate gateway ip of external subnets as floating ip

  Thread PreviousDate PreviousThread Next 
Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/904783

** Changed in: neutron
       Status: Invalid => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1959699

Title:
  Disallow users to allocate gateway ip of external subnets as floating
  ip

Status in neutron:
  In Progress

Bug description:
  Currently a user can allocate the gateway ip of an external network as
  a floating ip. This is possible, as the only validation on a user
  specified ip address is done by the ipam module, which checks that an
  ip is in the range of the subnet(s) and that it is not already
  allocated. Because OpenStack has no port for the external gateway the
  subnet of an external network is marked as free.

  This is a problem because now a user can allocate an IP address that
  might be otherwise in use (externally of OpenStack / inside a provider
  network). Depending on the network plugins used, the user could either
  end up with an unusable floating ip or (in the worst case) create
  something that arps for this IP and redirects traffic away from the
  original gateway, causing an outage. Therefore I propose we forbid
  users from allocating floatingips that are also the gateway ip in a
  floating ip network. Note that OpenStack would not allocate the
  gateway ip itself, as it only allocates from the subnet's allocation
  pool by default.

  To fix this I'd propose we either explicitly deny using the gateway ip
  or require the user-specified IP for a subnet to be from the
  allocation pool. I'd be happy to provide a patch once we have decided
  how to approach this.

  This can be recreated with a simple cli command: openstack floating ip
  create $fip_network --floating-ip-address $gateway_ip_of_subnet

  A similar bug was filed and fixed for putting routers into provider
  networks: https://bugs.launchpad.net/neutron/+bug/1757482

  Breaking testcase (neutron/tests/unit/extensions/test_l3.py):
  class L3NatTestCaseBase(L3NatTestCaseMixin):
      def test_create_floatingip_on_external_subnet_gateway_fails(self):                                                  
          with self.subnet(cidr='11.0.0.0/24') as public_sub:                                                             
              self._set_net_external(public_sub['subnet']['network_id'])                                                  
              self._make_floatingip(                                                                                
                  self.fmt,                                                                                               
                  public_sub['subnet']['network_id'],                                                                     
                  floating_ip=public_sub['subnet']['gateway_ip'],                                                         
                  http_status=exc.HTTPBadRequest.code)

  Preliminary discussion in IRC:
  https://meetings.opendev.org/irclogs/%23openstack-neutron/%23openstack-neutron.2022-02-01.log.html#t2022-02-01T15:02:10

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1959699/+subscriptions

References

  Thread PreviousDate PreviousThread Next