neutron

ML2 vlan type driver does not honor network_vlan_ranges

Bug #1269926 reported by Paul Ward
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Paul Ward

Bug Description

I have the following configuration entry in /etc/neutron/plugins/ml2/ml2_conf.ini:

[ml2_type_vlan]
network_vlan_ranges = default:1:4093

However, creating a new network with a segmentation_id of 4094 is NOT prevented.

In looking at type_vlan.py (https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/type_vlan.py), I see validate_provider_segment() does no enforcement of the vlan ranges specified in network_vlan_ranges. It does validate that the physical network name is defined, that the segmentation_id specified is in the entire list of valid vlans, but it doesn't check against the actual range defined in ml2_conf.ini.

I propose a fix of simply checking the network segment's segmentation_id against the network_vlan_ranges defined range, which has been populated into the self.network_vlan_ranges dictionary in TypeVlanDriver. If the segmentation_id is out of the range, then raise an InvalidInput exception as is already done for other violations.

Paul Ward (wpward)
Changed in neutron:
assignee: nobody → Paul Ward (wpward)
Revision history for this message
Henry Gessau (gessau) wrote :

By creating a network with a specific vlan you are creating a provider network. A provider network can have any vlan and is not confined to the network_vlan_ranges, which is the pool for vlans for tenant networks.

Can you please confirm the command or API you used to create a network with vlan 4094?

Revision history for this message
Paul Ward (wpward) wrote :

I'm creating the network via a UI, which does a rest api POST to https://<ip>/powervc/openstack/network/v2.0//networks with the following payload:

name: "test4094"
provider:network_type: "vlan"
provider:physical_network: "default"
provider:segmentation_id: 4094

Per the documentation, I assume the tenant_id is obtained via keystone.

Revision history for this message
yong sheng gong (gongysh) wrote :

This is a way we give to admin:
    "create_network:provider:network_type": "rule:admin_only",
    "create_network:provider:physical_network": "rule:admin_only",
    "create_network:provider:segmentation_id": "rule:admin_only",

Changed in neutron:
status: New → Invalid
Revision history for this message
brenda (tian-mingming) wrote :

I can reproduce this problem too. And I think it is a problem. When people manually set a vlan id for a network, the
vlan type driver will validate if the provider network are contained in "network_vlan_ranges",but the vlan id is not validated. It's not consistant.

Revision history for this message
yujie (16189455-d) wrote :

This problem still exist in master. If we should keep consistent with the conf file. Then what should we do when conf file changes?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.