router add subnet <router> <external network>
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned | ||
neutron |
Confirmed
|
Critical
|
Miguel Lavalle |
Bug Description
hi,
When using the command router add subnet <route> <external subnet>, neutron creates a port with the first IP on the subnet. This causes IP conflict with the real GW ip for the network, and the result is that the physical network goes down. In our case it brought down the whole physical fabric.
cloud info:
(openstack) network show internet
+------
| Field | Value |
+------
| admin_state_up | UP |
| availability_
| availability_zones | nova |
| created_at | 2017-05-
| description | |
| dns_domain | |
| id | df26cc5b-
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 9000 |
| name | internet |
| port_security_
| project_id | 1642f7380213486
| provider:
| provider:
| provider:
| qos_policy_id | None |
| revision_number | 7 |
| router:external | External |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | cbd1f84a-
| tags | |
| updated_at | 2017-11-
+------
(openstack) subnet show internet-sub1
+------
| Field | Value |
+------
| allocation_pools | xxx.yyy.
| cidr | xxx.yyy.zzz.0/24 |
| created_at | 2017-05-
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | xxx.yyy.zzz.1 |
| host_routes | |
| id | cbd1f84a-
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | internet-sub1 |
| network_id | df26cc5b-
| project_id | 1642f7380213486
| revision_number | 3 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2017-05-
+------
way to reproduce:
1. As normal _member_ user, create a router
(openstack) router create vpn-client-router
2. add the external subnet to the router.
(openstack) router add subnet vpn-client-router internet-sub1
Actual result:
The port created gets the ip xxx.yyy.zzz.1, which is the same ip as the physical GW IP.
expected result:
First of all, this command should probably return error since the correct command is router set --external-gateway. If it should work, the IP should be in the allocation_pool for the subnet.
version:
openstack pike
neutron 11.0.2
distribution kolla-ansible
bjolo
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.