Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Ussuri |
Fix Released
|
Undecided
|
Unassigned | ||
Victoria |
Fix Released
|
Undecided
|
Unassigned | ||
Wallaby |
Fix Released
|
Undecided
|
Unassigned | ||
Xena |
Fix Released
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Medium
|
Unassigned | ||
neutron (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned | ||
Hirsute |
Fix Released
|
Medium
|
Unassigned | ||
Impish |
Fix Released
|
Medium
|
Unassigned |
Bug Description
With https:/
```
openstack port show 135515bf-
[{'mac_address': 'fa:16:
```
I could not find definitive information on wether this is an allowed value for allowed_
Once the above is set neutron-l3-agent logs errors shown in http://
Steps to reproduce:
Set up openstack environment with neutron build from git branch stable/train with OVS, DVR and router HA in a multinode deployment on ubuntu bionic.
Create a test environment:
openstack network create test
openstack subnet create --network test --subnet-range 10.0.0.0/24 test
openstack router create --ha --distributed test
openstack router set --external-gateway <provider network> test
openstack router add subnet test test
openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
openstack security group create icmp
openstack security group rule create --protocol icmp --ingress icmp
openstack server add security group test icmp
openstack floating ip create <provider network>
openstack server add floating ip test <floating ip>
ping <floating ip>
openstack port set --allowed-address ip-address=
ping <floating ip>
Observe loss of ping after setting allowed_
Revert https:/
ping <floating ip>
Observe reestablishment of the connection.
Please let me know if you need any other information
+++++++
SRU:
[Impact]
VM with floating ip are unreachable from external
[Test Case]
Create a test environment on bionic ussuri
openstack network create test
openstack subnet create --network test --subnet-range 10.0.0.0/24 test
openstack router create --ha --distributed test
openstack router set --external-gateway <provider network> test
openstack router add subnet test test
openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
openstack security group create icmp
openstack security group rule create --protocol icmp --ingress icmp
openstack server add security group test icmp
openstack floating ip create <provider network>
openstack server add floating ip test <floating ip>
ping <floating ip>
openstack port set --allowed-address ip-address=
openstack router set --disable <router>
openstack router set --enable <router>
ping <floating ip>
# ping should be successful after router is enabled.
[Regression Potential]
The only possibilities for allowed_
Changed in neutron (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in neutron (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in neutron (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in neutron (Ubuntu Impish): | |
status: | New → Fix Released |
Changed in neutron (Ubuntu): | |
status: | New → Fix Released |
I think I know what is wrong there. If there is CIDR given as allowed address pair, we should probably add all IPs from such cidr to the arp table. There is no way to add CIDR as arp entry in the Linuxx AFAIK.