neutron

Wrong CIDR configuration in subnet will cause all IP-related functions invalid.

Bug #1195974 reported by wingwj
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
yong sheng gong
neutron 2013.2 "havana"

Bug Description

Now there’s no restrict check for CIDR during subnet creation.

If we create a subnet with wrong CIDR address-pool, like 10.0.1.1/24, the IP valid-check will always return False [def _check_subnet_ip() in db_base_plugin_v2.py].

This problem will cause all IP-related functions (like, vm creation in Nova, port creation in Quantum, etc.) fail when a fixed-IP pointed in request.

Thanks~

Tags: cidr subnet
Revision history for this message
wingwj (wingwj) wrote :
  • Bug-Test Doc~ Edit (417.5 KiB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)
Revision history for this message
wingwj (wingwj) wrote :

Here is the patch I made. Plz check it.

Thanks~

Revision history for this message
yong sheng gong (gongysh) wrote :

following is my experiment with the wrong CIDR in python console:
>>> net = ip.IPNetwork('10.0.0.3/24')
>>> net.cidr
IPNetwork('10.0.0.0/24')
>>> net.netmask
IPAddress('255.255.255.0')

the conclusion is we need enhance the validation:
def _validate_subnet(data, valid_values=None):
    try:
        netaddr.IPNetwork(_validate_no_whitespace(data))
        if len(data.split('/')) == 2:
            return
    except Exception:
        pass

Changed in neutron:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → yong sheng gong (gongysh)
milestone: none → havana-2
Revision history for this message
yong sheng gong (gongysh) wrote :

following is my experiment with wrong cidr 10.0.4.2/24:
$ quantum net-create net3
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
 +---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 3f206a91-a00b-497c-bc4d-36c8435d3293 |
| name | net3 |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 3 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 51c051a17638408d8969ada0ae5b9b95 |
 +---------------------------+--------------------------------------+
$ quantum subnet-create net3 10.0.4.2/24 --name subnet3
Created a new subnet:
+------------------+--------------------------------------------+
| Field | Value |
 +------------------+--------------------------------------------+
| allocation_pools | {"start": "10.0.4.2", "end": "10.0.4.254"} |
| cidr | 10.0.4.2/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.4.1 |
| host_routes | |
| id | 95f6c03f-5881-40f8-9dcc-48c475650a35 |
| ip_version | 4 |
| name | subnet3 |
| network_id | 3f206a91-a00b-497c-bc4d-36c8435d3293 |
| tenant_id | 51c051a17638408d8969ada0ae5b9b95 |
 +------------------+--------------------------------------------+
$ quantum port-create net3 --fixed-ip ip_address=10.0.4.6
Invalid input for operation: IP address 10.0.4.6 is not a valid IP for the defined networks subnets.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/35013

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
yong sheng gong (gongysh) wrote :

After this patch:
$ quantum subnet-create net4 10.0.0.4/24
Invalid input for cidr. Reason: '10.0.0.4/24' isn't a recognized IP subnet cidr, '10.0.0.0/24' is recommended.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/35013
Committed: http://github.com/openstack/neutron/commit/53a66b299f18a7184972502b43441a5ad7b050fd
Submitter: Jenkins
Branch: master

commit 53a66b299f18a7184972502b43441a5ad7b050fd
Author: Yong Sheng Gong <email address hidden>
Date: Sun Jul 7 21:20:36 2013 +0800

    validate and recommend the cidr

    Bug #1195974

    It is hard to validate the CIDR typed in by user,
    the simple way is to recognize only one and recommend it
    if user's input is not the one.

    Change-Id: Ic8defe30a43a5ae69c3f737094f866b36bb68f59

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/48405

wingwj (wingwj)
tags: added: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in neutron:
milestone: havana-2 → 2013.2
Alan Pevec (apevec)
tags: removed: grizzly-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.