neutron

neutron doesn't check the validity of gateway_ip as a subnet had been created

Bug #1835344 reported by Li Zhouzhou on 2019-07-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Opinion	Medium	Unassigned

Bug Description

neutron doesn't check the validity of gateway_ip as a subnet had been created.
Then we attach interface into a router for this subnet, the neutron-server will report a error, like: "IP address 10.10.13.254 is not a valid IP for the specified subnet."

How to reproduce:
1. create a subnet, specify the gateway_ip which isn't in the cidr range.
# neutron subnet-create --name xxxx-subnet12 --gateway 10.10.13.254 xxx-net1 10.10.13.0/25

2. create a router:
# neutron router-create xxx-router1

3. attach interface into a router for this subnet.
# neutron router-interface-add xxx-router1 xxx-subnet123

result:
expected: success
real: unsuccessful, "IP address 10.10.13.254 is not a valid IP for the specified subnet."

Improve:
So, I think we should check the validity of gateway_ip for subnet when create a subnet.

tests:
[root@xxxx]# neutron subnet-create --name xxx-subnet12 --gateway 10.10.13.254 xxx-pool-net1 10.10.13.0/25
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new subnet:
+---------------------+------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------+
| allocation_pools | {"start": "10.10.13.1", "end": "10.10.13.126"} |
| available_ip_number | 126 |
| available_ips | {"start": "10.10.13.1", "end": "10.10.13.126"} |
| cidr | 10.10.13.0/25 |
| created_at | 2019-07-04T02:37:07Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.10.13.254 |
| host_routes | |
| id | 16dc9a28-f4d2-4b1e-9922-d78b4453147a |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | xxx-subnet12 |
| network_id | 2fa614ec-8532-46a4-a23a-d599d1c1aaf8 |
| project_id | f0208ec2708e436fa02bb79bb3851f86 |
| revision_number | 0 |
| service_types | |
| subnetpool_id | |
| tags | |
| tenant_id | f0208ec2708e436fa02bb79bb3851f86 |
| updated_at | 2019-07-04T02:37:07Z |
+---------------------+------------------------------------------------+
[root@xxx]# neutron router-interface-add xxx-router123 xxx-subnet12
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
IP address 10.10.13.254 is not a valid IP for the specified subnet.
Neutron server returns request_ids: ['req-c58bab6f-2152-4cd5-8cbd-e6f8cb7052ed']

See original description

Tags:

Li Zhouzhou (lizhouzhou) on 2019-07-04

Changed in neutron:
assignee:	nobody → Li Zhouzhou (lizhouzhou)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-04: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/669030

Changed in neutron:
status:	New → In Progress

Li Zhouzhou (lizhouzhou) on 2019-07-04

description:

updated

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2019-07-04:

Hello Li:

IMO, this bug is not valid.

When you execute the following command:
$ neutron subnet-create --name xxxx-subnet12 --gateway 10.10.13.254 xxx-net1 10.10.13.0/25

you are trying to use a gw IP 10.10.13.254 which doesn't belongs to CIDR 10.10.13.0/25. The neutron CLI is returning the expected exception.

$ python
>>> import netaddr
>>> net=netaddr.IPNetwork('10.10.13.0/25')
>>> ip1=netaddr.IPAddress('10.10.13.254')
>>> ip2=netaddr.IPAddress('10.10.13.2')
>>> ip1 in net
False
>>> ip2 in net
True

Regards.

Revision history for this message

Li Zhouzhou (lizhouzhou) wrote on 2019-07-05:

The netaddr is right. But, I mean the logic of neutron code has confused me:
"
def check_gateway_invalid_in_subnet(cidr, gateway):
    """Check whether the gw IP address is invalid on the subnet."""
    ip = netaddr.IPAddress(gateway)
    net = netaddr.IPNetwork(cidr)
    # Check whether the gw IP is in-valid on subnet.
    # If gateway is in the subnet, it cannot be the
    # 'network' or the 'broadcast address (only in IPv4)'.
    # If gateway is out of subnet, there is no way to
    # check since we don't have gateway's subnet cidr.
    return (ip in net and >>>>>>>>>>>>>>>>>> actually, we only check the ip postfix is 0.I don't know why.
            (net.version == constants.IP_VERSION_4 and
            ip in (net.network, net[-1])))
"

Bernard Cafarelli (bcafarel) on 2019-07-05

Changed in neutron:
importance:	Undecided → Medium
status:	In Progress → Opinion

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2019-12-04: auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee:	Li Zhouzhou (lizhouzhou) → nobody
tags:	added: timeout-abandon

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-04: Change abandoned on neutron (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/669030
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.