neutron accepts CIDR in security groups that are invalid in ovn
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
We have found that there are some CIDR accepted by neutron, which does not work in networking ovn. Specifically, these are network CIDRs with the host bits set.
Steps to reproduce
- Create VM. Attach a floating IP to it
- Remove all security group. Attach a blank security group to it
- Add a security group rule and start ping
For example, if my IP is 10.10.10.175/26 (first 3 octets changed for privacy), the following security rules work
openstack security group rule create --protocol icmp --remote-ip 10.10.10.175/32 cidr
openstack security group rule create --protocol icmp --remote-ip 10.10.10.128/26 cidr
However, the following security group rule do not work
openstack security group rule create --protocol icmp --remote-ip 10.10.10.175/26 cidr
FWIW, in our testing, CIDRs like 10.10.10.175/26 work in other drivers, like linuxbridge and midonet.
description: | updated |
tags: | added: ovn |
tags: | added: rfe-triaged |
Changed in neutron: | |
importance: | Undecided → Medium |
assignee: | Jake Yip (waipengyip) → Slawek Kaplonski (slaweq) |
Changed in neutron: | |
status: | In Progress → Fix Released |
this is a bit related to https:/ /bugs.launchpad .net/horizon/ +bug/1837339, in the sense that, if we update neutron to not accept CIDRs with host bits set, this will effectively fix the other bug.