Juniper Openstack

allowed_address_pair validation should be done to exclude the port IP

Bug #1351988 reported by Vedamurthy Joshi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Fix Committed
High
Prakash Bailkeri
Juniper Openstack r1.10-beta

Bug Description

Build 1.10 2282

Per openstack documentation :
"Setting an allowed-address-pair that matches the mac_address and ip_address of a port is prevented. This is because that would have no effect since traffic matching the mac_address and ip_address is already allowed to pass through the port."

But Contrail allows such a config :

root@nodec22:/usr/lib/python2.7/dist-packages# neutron port-update 13c5ca47-ff5c-422e-beb5-7f68ae8d129b --allowed-address-pairs type=dict lis
t=true ip_address=100.1.1.3
Updated port: 13c5ca47-ff5c-422e-beb5-7f68ae8d129b
root@nodec22:/usr/lib/python2.7/dist-packages#

root@nodec22:/usr/lib/python2.7/dist-packages# neutron port-show 13c5ca47-ff5c-422e-beb5-7f68ae8d129b
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | {"ip_address": "100.1.1.3/32", "mac_address": "02:13:c5:ca:47:ff"} |
| device_id | edd9acff-46c4-480d-acf4-b868917d9cd2 |
| device_owner | |
| fixed_ips | {"subnet_id": "26b80e71-a99a-45a3-8a36-c5c3ed348374", "ip_address": "100.1.1.3", "port_id": "13c5ca47-ff5c-422e-beb5-7f68ae8d129b", "net_id": "ddc414fc-e53a-420e-91ab-31095b0b161f"} |
| id | 13c5ca47-ff5c-422e-beb5-7f68ae8d129b |
| mac_address | 02:13:c5:ca:47:ff |
| name | 13c5ca47-ff5c-422e-beb5-7f68ae8d129b |
| network_id | ddc414fc-e53a-420e-91ab-31095b0b161f |
| security_groups | 42c9a8c6-ecd9-4a21-87a4-300f9facc953 |
| status | ACTIVE |
| tenant_id | 3aa6fd0a73b749fda20a2f46ea74d055 |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

On a stock openstack with openvswitch:

root@nodec43:/usr/lib/python2.7/dist-packages/neutron/db# neutron port-update 2452fb9e-30fd-41b8-b49a-36e41766389e --allowed-address-pairs type=dict list=true ip_address=70.0.0.2
400-{u'NeutronError': {u'message': u"Port's Fixed IP and Mac Address match an address pair entry.", u'type': u'AddressPairMatchesPortFixedIPAndMac', u'detail': u''}}
root@nodec43:/usr/lib/python2.7/dist-packages/neutron/db#

Revision history for this message
Prakash Bailkeri (prakashmb) wrote :

https://github.com/Juniper/contrail-controller/commit/94565d28cbba9dfe33bdd6654bcab7eb1105c4a3

Changed in juniperopenstack:
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.