From ac8fb28a920c7a6284d41f7cce054ea1b2e73cb1 Mon Sep 17 00:00:00 2001 From: Aaron Rosen Date: Thu, 11 Jun 2015 13:58:16 -0700 Subject: [PATCH] Disable allowed_address_pair ip 0.0.0.0/0 ::/0 for ipset Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if these addresses were inputted as allowed address pairs. This causes ipset to raise an error as it does not work with zero prefix sizes. To solve this problem we use two ipset rules to represent this. This was correctly fixed in a backport to kilo though we did not have the cycles to backport this exact fix to juno as in juno additional work needs to be done because the iptable and ipset code are interleaved together. This patch fixes this issue by disabling one from creating an address pair of zero lenght. This patch also provides a small tool which one should run: tools/fix_zero_length_ip_prefix.py which changes all zero length address_pair rules into two address pair rules of: Ipv4: 0.0.0.0/1 and 128.0.0.1/1 IPv6: ::/1' and '8000::/1 to avoid the problem. After this patch is merged into juno it will be easier for us to apply a better change to allow /0 addresses again in juno. Closes-bug: 1461054 Co-Authored-by: Darragh O'Reilly --- neutron/extensions/allowedaddresspairs.py | 9 +++- .../unit/test_extension_allowedaddresspairs.py | 5 ++ tools/fix_zero_length_ip_prefix.py | 59 ++++++++++++++++++++++ 3 files changed, 72 insertions(+), 1 deletion(-) create mode 100755 tools/fix_zero_length_ip_prefix.py diff --git a/neutron/extensions/allowedaddresspairs.py b/neutron/extensions/allowedaddresspairs.py index 6588d5f..a773a17 100644 --- a/neutron/extensions/allowedaddresspairs.py +++ b/neutron/extensions/allowedaddresspairs.py @@ -12,6 +12,7 @@ # License for the specific language governing permissions and limitations # under the License. +import netaddr import webob.exc from neutron.api.v2 import attributes as attr @@ -46,6 +47,10 @@ class AllowedAddressPairExhausted(nexception.BadRequest): "exceeds the maximum %(quota)s.") +class AllowedAddressPairsZeroPrefixNotAllowed(nexception.InvalidInput): + message = _("AllowedAddressPair CIDR cannot have prefix length zero") + + def _validate_allowed_address_pairs(address_pairs, valid_values=None): unique_check = {} if len(address_pairs) > cfg.CONF.max_allowed_address_pair: @@ -77,7 +82,9 @@ def _validate_allowed_address_pairs(address_pairs, valid_values=None): set(['mac_address', 'ip_address']))) raise webob.exc.HTTPBadRequest(msg) - if '/' in ip_address: + if (netaddr.IPNetwork(ip_address).prefixlen == 0): + raise AllowedAddressPairsZeroPrefixNotAllowed() + elif '/' in ip_address: msg = attr._validate_subnet(ip_address) else: msg = attr._validate_ip_address(ip_address) diff --git a/neutron/tests/unit/test_extension_allowedaddresspairs.py b/neutron/tests/unit/test_extension_allowedaddresspairs.py index bcaa11b..f15c402 100644 --- a/neutron/tests/unit/test_extension_allowedaddresspairs.py +++ b/neutron/tests/unit/test_extension_allowedaddresspairs.py @@ -140,6 +140,11 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase): self.deserialize(self.fmt, res) self.assertEqual(res.status_int, 409) + def test_create_port_zero_prefix_ip(self): + address_pairs = [{'mac_address': 'invalid_mac', + 'ip_address': '0.0.0.0/0'}] + self._create_port_with_address_pairs(address_pairs, 400) + def test_create_port_bad_mac(self): address_pairs = [{'mac_address': 'invalid_mac', 'ip_address': '10.0.0.1'}] diff --git a/tools/fix_zero_length_ip_prefix.py b/tools/fix_zero_length_ip_prefix.py new file mode 100755 index 0000000..dbbafb5 --- /dev/null +++ b/tools/fix_zero_length_ip_prefix.py @@ -0,0 +1,59 @@ +""" +This script is needed to convert addresses that are zero prefix to be two +address of one prefix to avoid a bug that exists in juno where the ipset +manager isn't able to handle zero prefix lenght addresses. +""" + +import os +import sys + +import netaddr +from neutronclient.v2_0 import client + + +def main(): + try: + username = os.environ['OS_USERNAME'] + tenant_name = os.environ['OS_TENANT_NAME'] + password = os.environ['OS_PASSWORD'] + auth_url = os.environ['OS_AUTH_URL'] + except KeyError: + print("You need to source your openstack creds file first!") + sys.exit(1) + + neutron = client.Client(username=username, + tenant_name=tenant_name, + password=password, + auth_url=auth_url) + + ports = neutron.list_ports() + for port in ports['ports']: + new_address_pairs = [] + needs_update = False + allowed_address_pairs = port.get('allowed_address_pairs') + if allowed_address_pairs: + for address_pair in allowed_address_pairs: + ip = address_pair['ip_address'] + mac = address_pair['mac_address'] + if(netaddr.IPNetwork(ip).prefixlen == 0): + needs_update = True + if(netaddr.IPNetwork(ip).version == 4): + new_address_pairs.append({'ip_address': '0.0.0.0/1', + 'mac_address': mac}) + new_address_pairs.append({'ip_address': '128.0.0.0/1', + 'mac_address': mac}) + elif(netaddr.IPNetwork(ip).version == 6): + new_address_pairs.append({'ip_address': '::/1', + 'mac_address': mac}) + new_address_pairs.append({'ip_address': '8000::/1', + 'mac_address': mac}) + else: + new_address_pairs.append(address_pair) + if needs_update: + print ("Updating port %s with new address_pairs %s" % + (port['id'], new_address_pairs)) + neutron.update_port( + port['id'], + {'port': {'allowed_address_pairs': new_address_pairs}}) + +main() -- 1.9.1