Vlan network with vlan_id outside of available ranges for physical network can be created always
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Medium
|
Slawek Kaplonski |
Bug Description
When creating provider networks of type vlan with openstack or neutron api(s) one can specify a vlan ID or provider segment which exceeds the range as set network_vlan_ranges parameter in the ml2 configuration.
Here are some examples from the lab:
+++
[root@overcloud
[ovs]
bridge_
integration_
tunnel_
local_ip=
[agent]
l2_population=False
arp_responder=False
enable_
drop_flows_
extensions=qos
tunnel_csum=False
tunnel_types=vxlan
vxlan_udp_port=4789
[securitygroup]
firewall_
+++
+++
egrep -v '^$|^#' /var/lib/
[DEFAULT]
[l2pop]
[ml2]
type_drivers=
tenant_
mechanism_
extension_
path_mtu=0
overlay_
[ml2_type_flat]
flat_networks=
[ml2_type_geneve]
[ml2_type_gre]
tunnel_
[ml2_type_vlan]
network_
[ml2_type_vxlan]
vni_ranges=1:4094
vxlan_group=
[securitygroup]
firewall_
+++
Yet one can specify vlan ID(s) like 1500 or 2000 which are far beyond the range set in the configuration:
(overcloud) [stack@
+------
| Field | Value |
+------
| admin_state_up | UP |
| availability_
| availability_zones | |
| created_at | 2019-08-
| description | |
| dns_domain | None |
| id | 7153c256-
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1500 |
| name | ext_net_epsilon |
| port_security_
| project_id | e965ba459d574bd
| provider:
| provider:
| provider:
| qos_policy_id | None |
| revision_number | 3 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2019-08-
+------
(overcloud) [stack@
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new network:
+------
| Field | Value |
+------
| admin_state_up | True |
| availability_
| availability_zones | |
| created_at | 2019-08-
| description | |
| id | 0c868950-
| ipv4_address_scope | |
| ipv6_address_scope | |
| is_default | False |
| l2_adjacency | True |
| mtu | 1500 |
| name | ext_net_alpha |
| port_security_
| project_id | e965ba459d574bd
| provider:
| provider:
| provider:
| qos_policy_id | |
| revision_number | 3 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | e965ba459d574bd
| updated_at | 2019-08-
+------
So basically there is no validation check to ensure that the segmentation ID that is being provided to the command line client is within the bounds specified by the config.
It happens becasue in https:/
tags: | added: pike-backport-potential queens-backport-potential rocky-backport-potential stein-backport-potential |
Fix proposed to branch: master /review. opendev. org/679425
Review: https:/