Comment 13 for bug 1959699

Revision history for this message
Sebastian Lohff (sebageek) wrote :

I agree that using the allocation pool is the wrong solution to this problem. The problem itself is still a valid problem in my opinion and here is why:

External networks are managed by admins. The gateway ip of a subnet of an external network is normally managed outside of OpenStack (preconfigured by an admin on a router or whatever), so no Neutron object exists for the gateway ip except this one value. It is still used as next-hop for all the l3 routing. Now comes along a non-admin user that creates a floating ip using this specific external network gateway ip. As there is nothing to prevent this, Neutron will allow this FIP to be created, resulting in a second entity ARPing for this ip address. The gateway will not (or only intermittently) be reachable, as two entities ARP for the same IP. The network will not be usable for Internet access for anyone using it, including the user, who allocated the gateway IP as a FIP.

Therefore I think it makes sense to prevent users to allocate FIPs from external networks, which are also a gateway ip of the external network.