neutron

VPNaaS: peer-cidr validation is invalid

Bug #1633941 reported by Hiroyuki Ito
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Dongcan Ye

Bug Description

When creating ipsec-site-connection in VPNaaS, it looks peer-cidr validation is invalid.
The cidr format like "10/8" should be rejected like cidr in subnet resources but it is accepted like the following:

$ neutron ipsec-site-connection-create --vpnservice-id service1 --ikepolicy-id ike1 --ipsecpolicy-id ipsec1 --peer-id 192.168.7.1 --peer-address 192.168.7.1 --peer-cidr 10/8 --psk pass
Created a new ipsec_site_connection:
+-------------------+----------------------------------------------------+
| Field | Value |
+-------------------+----------------------------------------------------+
| admin_state_up | True |
| auth_mode | psk |
| description | |
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id | 2bed308f-5462-45bb-ae79-5cb9003424ef |
| ikepolicy_id | be1f92ab-8064-4328-8862-777ae6878691 |
| initiator | bi-directional |
| ipsecpolicy_id | 09c67ae8-6ede-47ca-a15b-c52be1d7feaf |
| local_ep_group_id | |
| local_id | |
| mtu | 1500 |
| name | |
| peer_address | 192.168.7.1 |
| peer_cidrs | 10/8 |
| peer_ep_group_id | |
| peer_id | 192.168.7.1 |
| project_id | 068a47c758ae4b5d9fab059539e57740 |
| psk | pass |
| route_mode | static |
| status | PENDING_CREATE |
| tenant_id | 068a47c758ae4b5d9fab059539e57740 |
| vpnservice_id | 4f82612c-5e3a-4699-aafa-bdfa5ede31fe |
+-------------------+----------------------------------------------------+

I think this is because _validate_subnet_list_or_none method in neutron_vpnaas.extensions.vpnaas doesn't return the result.

Tags: vpnaas
Dongcan Ye (hellochosen)
Changed in neutron:
status: New → Confirmed
assignee: nobody → Dongcan Ye (hellochosen)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/387408

Changed in neutron:
status: Confirmed → In Progress
John Davidge (john-davidge)
Changed in neutron:
status: In Progress → Confirmed
importance: Undecided → Low
status: Confirmed → In Progress
Anindita Das (anindita-das)
Changed in neutron:
importance: Low → Medium
Anindita Das (anindita-das)
Changed in neutron:
importance: Medium → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/387408
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=c1adb319f18feeffe02fd889c69347805f7e654c
Submitter: Jenkins
Branch: master

commit c1adb319f18feeffe02fd889c69347805f7e654c
Author: Dongcan Ye <email address hidden>
Date: Mon Oct 17 20:32:36 2016 +0800

    Validate peer_cidrs for ipsec_site_connections

    When cidrs format of remote peer is incorrect, we should get
    validate message from neutron-lib. Meanwhile this patch
    add a validator for peer_cidrs in db.

    Change-Id: Ia77208f9a6704b651929c35c85dbc227972014aa
    Closes-Bug: #1633941

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron-vpnaas 10.0.0

This issue was fixed in the openstack/neutron-vpnaas 10.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.