VPNaaS: Enhance error checking on subnet changes
Bug #1503862 reported by
Paul Michali
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Invalid
|
Medium
|
Paul Michali | ||
Bug Description
Currently, if the CIDR of a subnet changes, and that subnet is used by VPN, there is no checking performed.
Should add a notification for subnet CIDR changes and either block the change, if in use by VPN service/endpoint group, or to cause a sync operation in VPN so that existing connections are updated (if possible).
I'm not sure which would be better. Need to ensure that we don't disrupt any existing IPSec connections that have not changed.
Need to ensure this supports the new endpoint group capability for VPNaaS, where local subnets are specified in endpoint groups (versus the older method of a sole subnet being associated with a VPN service).
| tags: | added: api |
| tags: | added: liberty-rc-potential |
| Changed in neutron: | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| tags: | added: needs-attention |
Revision history for this message
| Paul Michali (pcm) wrote | #1 |
| tags: |
added: liberty-backport-potential removed: liberty-rc-potential |
| Changed in neutron: | |
| assignee: | nobody → Paul Michali (pcm) |
| status: | Confirmed → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to neutron (master) | #2 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on neutron (master) | #3 |
Revision history for this message
| Paul Michali (pcm) wrote | #4 |
| Changed in neutron: | |
| status: | In Progress → Invalid |
To post a comment you must log in.
The easiest thing is to block the change, which is what is done for delete and other resources, so will likely go with that solution for now.