neutron doesn't check the validity of gateway_ip as a subnet had been created

Bug #1835344 reported by Li Zhouzhou on 2019-07-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Medium
Li Zhouzhou

Bug Description

neutron doesn't check the validity of gateway_ip as a subnet had been created.
Then we attach interface into a router for this subnet, the neutron-server will report a error, like: "IP address 10.10.13.254 is not a valid IP for the specified subnet."

How to reproduce:
1. create a subnet, specify the gateway_ip which isn't in the cidr range.
# neutron subnet-create --name xxxx-subnet12 --gateway 10.10.13.254 xxx-net1 10.10.13.0/25

2. create a router:
# neutron router-create xxx-router1

3. attach interface into a router for this subnet.
# neutron router-interface-add xxx-router1 xxx-subnet123

result:
expected: success
real: unsuccessful, "IP address 10.10.13.254 is not a valid IP for the specified subnet."

Improve:
So, I think we should check the validity of gateway_ip for subnet when create a subnet.

tests:
[root@xxxx]# neutron subnet-create --name xxx-subnet12 --gateway 10.10.13.254 xxx-pool-net1 10.10.13.0/25
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new subnet:
+---------------------+------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------+
| allocation_pools | {"start": "10.10.13.1", "end": "10.10.13.126"} |
| available_ip_number | 126 |
| available_ips | {"start": "10.10.13.1", "end": "10.10.13.126"} |
| cidr | 10.10.13.0/25 |
| created_at | 2019-07-04T02:37:07Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.10.13.254 |
| host_routes | |
| id | 16dc9a28-f4d2-4b1e-9922-d78b4453147a |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | xxx-subnet12 |
| network_id | 2fa614ec-8532-46a4-a23a-d599d1c1aaf8 |
| project_id | f0208ec2708e436fa02bb79bb3851f86 |
| revision_number | 0 |
| service_types | |
| subnetpool_id | |
| tags | |
| tenant_id | f0208ec2708e436fa02bb79bb3851f86 |
| updated_at | 2019-07-04T02:37:07Z |
+---------------------+------------------------------------------------+
[root@xxx]# neutron router-interface-add xxx-router123 xxx-subnet12
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
IP address 10.10.13.254 is not a valid IP for the specified subnet.
Neutron server returns request_ids: ['req-c58bab6f-2152-4cd5-8cbd-e6f8cb7052ed']

Li Zhouzhou (lizhouzhou) on 2019-07-04
Changed in neutron:
assignee: nobody → Li Zhouzhou (lizhouzhou)

Fix proposed to branch: master
Review: https://review.opendev.org/669030

Changed in neutron:
status: New → In Progress
Li Zhouzhou (lizhouzhou) on 2019-07-04
description: updated

Hello Li:

IMO, this bug is not valid.

When you execute the following command:
$ neutron subnet-create --name xxxx-subnet12 --gateway 10.10.13.254 xxx-net1 10.10.13.0/25

you are trying to use a gw IP 10.10.13.254 which doesn't belongs to CIDR 10.10.13.0/25. The neutron CLI is returning the expected exception.

$ python
>>> import netaddr
>>> net=netaddr.IPNetwork('10.10.13.0/25')
>>> ip1=netaddr.IPAddress('10.10.13.254')
>>> ip2=netaddr.IPAddress('10.10.13.2')
>>> ip1 in net
False
>>> ip2 in net
True

Regards.

Li Zhouzhou (lizhouzhou) wrote :

The netaddr is right. But, I mean the logic of neutron code has confused me:
"
def check_gateway_invalid_in_subnet(cidr, gateway):
    """Check whether the gw IP address is invalid on the subnet."""
    ip = netaddr.IPAddress(gateway)
    net = netaddr.IPNetwork(cidr)
    # Check whether the gw IP is in-valid on subnet.
    # If gateway is in the subnet, it cannot be the
    # 'network' or the 'broadcast address (only in IPv4)'.
    # If gateway is out of subnet, there is no way to
    # check since we don't have gateway's subnet cidr.
    return (ip in net and >>>>>>>>>>>>>>>>>> actually, we only check the ip postfix is 0.I don't know why.
            (net.version == constants.IP_VERSION_4 and
            ip in (net.network, net[-1])))
"

Changed in neutron:
importance: Undecided → Medium
status: In Progress → Opinion
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers