Floating ip association to router interface should be restricted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Low
|
Michal Kelner Mishali |
Bug Description
We found this bug using the vmware-nsx plugin, but should be applicable to all plugins support L3.
Created devstack_master + vmware-nsx
Created router-interface and assigned fip's to router interface which is allowed.
I dont find any usecase to assign ip to router port other than its LB vip port.
Main reason for restricted this:
-> To remove unwanted entries of fip from neutron db.
-> To reduce overhead of using floating ip pool (other pool may get exhausted).
REPO STEPS:
myuser@
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+------
| id | name | tenant_id | mac_address | fixed_ips |
+------
| 3318efcd-
| 8fcda443-
| f6d54233-
+------
myuser@
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:host_id | |
| binding:vif_details | {"ovs_hybrid_plug": false, "nsx-logical-
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2018-08-
| description | |
| device_id | 0fa3bbcd-
| device_owner | network:
| dns_assignment | {"hostname": "host-3-0-100-1", "ip_address": "3.0.100.1", "fqdn": "host-3-
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "7ff038d6-
| id | 8fcda443-
| mac_address | fa:16:3e:9a:a1:3e |
| name | |
| network_id | 186a719b-
| port_security_
| project_id | 00b7a6f394e9466
| provider_
| qos_policy_id | |
| revision_number | 3 |
| security_groups | |
| status | ACTIVE |
| tags | |
| tenant_id | 00b7a6f394e9466
| updated_at | 2018-08-
+------
myuser@
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new floatingip:
+------
| Field | Value |
+------
| created_at | 2018-08-
| description | |
| dns_domain | |
| dns_name | |
| fixed_ip_address | 3.0.100.1 |
| floating_ip_address | 172.24.0.22 |
| floating_network_id | b07e294c-
| id | ecc1da5f-
| port_id | 8fcda443-
| project_id | 00b7a6f394e9466
| revision_number | 0 |
| router_id | 0fa3bbcd-
| status | ACTIVE |
| tags | |
| tenant_id | 00b7a6f394e9466
| updated_at | 2018-08-
+------
Changed in neutron: | |
assignee: | nobody → Michal Kelner Mishali (mkelnermishal) |
Changed in neutron: | |
importance: | Undecided → Low |
Hello Boden,
Thank you for your information.
I would like to raise few questions:
- what kind of bug is observed? what is incorrect? is it incorrect that it is possible to assign FIP to router interface?
I checked that on devstack with (almost) master version and I can confirm that it is possible to do such thing on router port from private subnet with floating ip from public subnet used for gateway for router.
I will raise that within team,
Cheers,
Paweł