neutron

Floating ip association to router interface should be restricted

Bug #1787420 reported by Boden R on 2018-08-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Won't Fix	Low	Michal Kelner Mishali

Bug Description

We found this bug using the vmware-nsx plugin, but should be applicable to all plugins support L3.

Created devstack_master + vmware-nsx

Created router-interface and assigned fip's to router interface which is allowed.
I dont find any usecase to assign ip to router port other than its LB vip port.

Main reason for restricted this:
-> To remove unwanted entries of fip from neutron db.
-> To reduce overhead of using floating ip pool (other pool may get exhausted).

REPO STEPS:

myuser@kvm-compute-node1:~/devstack$ neutron router-port-list rtr3
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| id | name | tenant_id | mac_address | fixed_ips |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| 3318efcd-fcd1-4dda-bdde-4c8a19fbee3a | | | fa:16:3e:c1:00:fd | {"subnet_id": "afb2f79d-3c25-47de-a273-27bab2b78800", "ip_address": "172.24.0.19"} |
| 8fcda443-dd4d-431f-ba3d-fbd5764830d9 | | 00b7a6f394e946688c83545da6a27804 | fa:16:3e:9a:a1:3e | {"subnet_id": "7ff038d6-3b3c-4127-a45a-f135ac07f3bb", "ip_address": "3.0.100.1"} |
| f6d54233-a8aa-4304-bc16-20f0071dfc47 | | 00b7a6f394e946688c83545da6a27804 | fa:16:3e:99:35:61 | {"subnet_id": "c16dce8d-899e-45f7-b615-557c2e231ce5", "ip_address": "3.3.100.1"} |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+

myuser@kvm-compute-node1:~/devstack$ neutron port-show 8fcda443-dd4d-431f-ba3d-fbd5764830d9
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------+------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------------------+------------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:vif_details | {"ovs_hybrid_plug": false, "nsx-logical-switch-id": "c1a562e9-54bd-4ca6-9071-d622155e7ee6", "port_filter": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2018-08-13T16:19:11Z |
| description | |
| device_id | 0fa3bbcd-2a24-4c1d-ba56-d7e2c88a60ba |
| device_owner | network:router_interface |
| dns_assignment | {"hostname": "host-3-0-100-1", "ip_address": "3.0.100.1", "fqdn": "host-3-0-100-1.somedom.org."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "7ff038d6-3b3c-4127-a45a-f135ac07f3bb", "ip_address": "3.0.100.1"} |
| id | 8fcda443-dd4d-431f-ba3d-fbd5764830d9 |
| mac_address | fa:16:3e:9a:a1:3e |
| name | |
| network_id | 186a719b-7ca8-485a-9869-3eb60ef62020 |
| port_security_enabled | False |
| project_id | 00b7a6f394e946688c83545da6a27804 |
| provider_security_groups | |
| qos_policy_id | |
| revision_number | 3 |
| security_groups | |
| status | ACTIVE |
| tags | |
| tenant_id | 00b7a6f394e946688c83545da6a27804 |
| updated_at | 2018-08-13T16:19:12Z |
+--------------------------+------------------------------------------------------------------------------------------------------------------+

Revision history for this message

Pawel Suder (pasuder) wrote on 2018-08-17:

Hello Boden,

Thank you for your information.

I would like to raise few questions:

- what kind of bug is observed? what is incorrect? is it incorrect that it is possible to assign FIP to router interface?

I checked that on devstack with (almost) master version and I can confirm that it is possible to do such thing on router port from private subnet with floating ip from public subnet used for gateway for router.

I will raise that within team,

Cheers,
Paweł

Changed in neutron:
status:	New → Triaged

Salvatore Orlando (salvatore-orlando) on 2018-08-30

Changed in neutron:
assignee:	nobody → Michal Kelner Mishali (mkelnermishal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-04: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/599572

Changed in neutron:
status:	Triaged → In Progress

Revision history for this message

Michal Kelner Mishali (mkelnermishal) wrote on 2018-09-06:

Hey Pawel,

no harm will be done assigning fip to port i/f. It’s mostly a way of telling the user he’s doing something that makes no sense, and since floating IPs might be a precious resource, it would be good to avoid wasting one for associating it to an interface that cannot possibly respond.
Michal

Miguel Lavalle (minsel) on 2018-10-03

Changed in neutron:
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-12-02: Change abandoned on neutron (master)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/599572

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2022-12-12:

Bug closed due to lack of activity, please feel free to reopen if needed.

Changed in neutron:
status:	In Progress → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.