Disable allowed_address_pair ip 0.0.0.0/0 ::/0 for ipset
Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if
these addresses were inputted as allowed address pairs. This causes
ipset to raise an error as it does not work with zero prefix sizes.
To solve this problem we use two ipset rules to represent this.
This was correctly fixed in a backport to kilo though we did not have the
cycles to backport this exact fix to juno as in juno additional work needs to
be done because the iptable and ipset code are interleaved together. This
patch fixes this issue by disabling one from creating an address pair of
zero lenght. This patch also provides a small tool which one should run:
tools/fix_zero_length_ip_prefix.py which changes all zero length address_pair
rules into two address pair rules of:
Ipv4: 0.0.0.0/1 and 128.0.0.1/1
IPv6: ::/1' and '8000::/1
to avoid the problem.
After this patch is merged into juno it will be easier for us to apply
a better change to allow /0 addresses again in juno.
Reviewed: https:/ /review. openstack. org/194696 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=d9c78880d2b 7e5b0544e821c45 e6ad3700a06b9a
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit d9c78880d2b7e5b 0544e821c45e6ad 3700a06b9a
Author: Aaron Rosen <email address hidden>
Date: Thu Jun 11 13:58:16 2015 -0700
Disable allowed_ address_ pair ip 0.0.0.0/0 ::/0 for ipset
Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if
these addresses were inputted as allowed address pairs. This causes
ipset to raise an error as it does not work with zero prefix sizes.
To solve this problem we use two ipset rules to represent this.
This was correctly fixed in a backport to kilo though we did not have the fix_zero_ length_ ip_prefix. py which changes all zero length address_pair
cycles to backport this exact fix to juno as in juno additional work needs to
be done because the iptable and ipset code are interleaved together. This
patch fixes this issue by disabling one from creating an address pair of
zero lenght. This patch also provides a small tool which one should run:
tools/
rules into two address pair rules of:
Ipv4: 0.0.0.0/1 and 128.0.0.1/1
IPv6: ::/1' and '8000::/1
to avoid the problem.
After this patch is merged into juno it will be easier for us to apply
a better change to allow /0 addresses again in juno.
Change-Id: I8c6a08e0cf3b5b 5386fe03af9f217 4c666b8ac75
Closes-bug: 1461054
Co-Authored-by: Darragh O'Reilly <email address hidden>