neutron

DVR interfaces with device_owner network:router_centralized_snat or device_owner network:floatingip_agent_gateway can be deleted using port-delete

Bug #1425504 reported by Itzik Brown on 2015-02-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Swaminathan Vasudevan	neutron 2015.1.0 "kilo"

Bug Description

It's possible to delete the SNAT port or a floatingip_agent_gateway port belongs to a DVR by using port-delete.

How to reproduce
===============
After creating a distributed router list all the ports with device_owner network:router_centralized_snat
# neutron port-list --device_owner network:router_centralized_snat

Delete the port
# neutron port-delete <port-id>

Trying to delete a port with device_owner: network:router_interface_distributed

The above is also true for network:floatingip_agent_gateway.

Version
======
python-neutron-2014.2.2-1.el7ost.noarch
openstack-neutron-2014.2.2-1.el7ost.noarch
openstack-neutron-openvswitch-2014.2.2-1.el7ost.noarch
python-neutronclient-2.3.9-1.el7ost.noarch

See original description

Tags:

Itzik Brown (itzikb1) on 2015-02-25

summary:	- DVR interface with device_owener network:router_centralized_snat can be - deleted using port-delete + DVR interfaces with device_owner network:router_centralized_snat or + device_owner network:floatingip_agent_gateway can be deleted using port- + delete
description:	updated

Armando Migliaccio (armando-migliaccio) on 2015-02-26

tags:

added: l3-dvr-backlog

Swaminathan Vasudevan (swaminathan-vasudevan) on 2015-02-26

Changed in neutron:
assignee:	nobody → Swaminathan Vasudevan (swaminathan-vasudevan)

Revision history for this message

Swaminathan Vasudevan (swaminathan-vasudevan) wrote on 2015-02-26:

I do see the issue here. I will post a patch soon.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-27: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/159679

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-04: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/159679
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=17cae2cb7e6ece0d7219fdd92e2d0eb96992b852
Submitter: Jenkins
Branch: master

commit 17cae2cb7e6ece0d7219fdd92e2d0eb96992b852
Author: Swaminathan Vasudevan <email address hidden>
Date: Thu Feb 26 13:29:26 2015 -0800

Prevent direct port-delete of FIP Agent GW and CSNAT

    FloatingIP Agent GW Port and Centralized SNAT port
    that are currently used by DVR in FloatingIP and
    SNAT Namespaces respectively should not be allowed
    to delete directly using the Port-delete command by
    an admin.

    This patch fixes the above stated issue by adding the
    respective device-owners to the router_device_owners
    list in l3_dvr_db.py

Change-Id: Ibdddf2af348907d2ec7513693d546739e16437dc
Closes-Bug: #1425504

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in neutron:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in neutron:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.