commit a6b2c22dcea73754dbfd0ef39c60ad28ab2dbb73
Author: Kevin Benton <email address hidden>
Date: Mon Mar 30 23:52:56 2015 -0700
Set IPset hash type to 'net' instead of 'ip'
The previous hash type was 'ip' and this caused a major
issue with the allowed address pairs extension since it
results in CIDRs being passed to ipset. When the hash type
is 'ip', a CIDR is completely enumerated into all of its
addresses so 10.100.0.0/16 results in ~65k entries. This
meant a single allowed_address_pairs entry could easily
exhaust an entire set.
This patch changes the hash type to 'net', which is designed
to handle a CIDRs as a single entry.
This patch also changes the names of the ipsets because
creating an ipset with different parameters will cause an
error and our ipset manager code isn't robust enough to handle
that at this time. There is another ongoing patch to fix
that but it won't be ready in time.[1]
The related bug was closed by increasing the set limit, which
did alleviate the problem. However, this change would also
address the issue because the gate tests run an allowed address
pairs extension test with the CIDR mentioned above.
Reviewed: https:/ /review. openstack. org/174699 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=a6b2c22dcea 73754dbfd0ef39c 60ad28ab2dbb73
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit a6b2c22dcea7375 4dbfd0ef39c60ad 28ab2dbb73
Author: Kevin Benton <email address hidden>
Date: Mon Mar 30 23:52:56 2015 -0700
Set IPset hash type to 'net' instead of 'ip'
The previous hash type was 'ip' and this caused a major address_ pairs entry could easily
issue with the allowed address pairs extension since it
results in CIDRs being passed to ipset. When the hash type
is 'ip', a CIDR is completely enumerated into all of its
addresses so 10.100.0.0/16 results in ~65k entries. This
meant a single allowed_
exhaust an entire set.
This patch changes the hash type to 'net', which is designed
to handle a CIDRs as a single entry.
This patch also changes the names of the ipsets because
creating an ipset with different parameters will cause an
error and our ipset manager code isn't robust enough to handle
that at this time. There is another ongoing patch to fix
that but it won't be ready in time.[1]
The related bug was closed by increasing the set limit, which
did alleviate the problem. However, this change would also
address the issue because the gate tests run an allowed address
pairs extension test with the CIDR mentioned above.
1. I59e2e1c090cb95 ee1bd14dbb53b6f f2c5e2713fd
Related-Bug: #1439817 eac46e2f481f47b 5d966c49b07 72705aad4c30e78 9ae11ec958)
Closes-Bug: #1444397
Change-Id: I8177699b157cd3
(cherry picked from commit a38b5df5cd3c476