OpenStack Searchlight

CIDR search returns incorrect results

Bug #1622781 reported by Tyr Johanson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Searchlight
In Progress
Undecided
Steve McLellan

Bug Description

Search for 172.24.4.0/24 returned private subnet with /24 in subnet range, but totally different subnet range.

Revision history for this message
Tyr Johanson (tyr-6) wrote :
Revision history for this message
Steve McLellan (sjmc7) wrote :

A search for 172.24.4.0/24 will be treated as a search for:

{"_all": ["172", "24", "4", "0", "24]}

The search term won't automatically be treated as an IP range search.

Revision history for this message
Tyr Johanson (tyr-6) wrote :

According to search help in UI

IP Addresses
172.24.4.0/16 [10.0.0.1 TO 10.0.0.4]

IPv4 addresses may be searched based on ranges and with CIDR notation.

Revision history for this message
Steve McLellan (sjmc7) wrote :

The query coming out of the UI is (using 192.168.20.0/24 as that's my example data):

  {query_string: {query: "192.168.20.0\/24", phrase_slop: 10, lenient: true, analyze_wildcard: true}}

The documentation's incorrect; CIDRs are not valid in query_strings (though it looks like it's getting added in Elasticsearch 5.0 https://github.com/elastic/elasticsearch/pull/14773).

The equivalent "range" query ([172.40.0.8 TO 172.40.0.14]) DOES work on fields mapped as "ip" types, but as an additional wrinkle, since most of them are in nested document types it can't be done in a simple query_string since nested fields are ALSO not supported in query_strings. For instance, this works with Servers:

  "query": {"nested": {"path": "networks", "query": {"query_string": {"query": "networks.ipv4_addr:[172.40.0.8 TO 172.40.0.14]"}}}}

This does not:

  "query": {"query_string": {"query": "networks.ipv4_addr:[172.40.0.8 TO 172.40.0.14]"}}}}

Finally, none of the subnet fields are mapped as "ip" fields because Lucene (and thus Elasticsearch) didn't support IPv6 data in ip fields until Elasticsearch 5, so many fields that contain IP addresses are only mapped as strings.

For now I think the solution is to remove reference to CIDR-type searches, and deemphasise IP range-type searches. I think we should also denormalize v4-type IP addresses on all resource types that make sense (so add ipv4 and ipv6 fields to resources that have IP addresses).

Revision history for this message
Steve McLellan (sjmc7) wrote :

I stand corrected; support was added for mask type queries in 2.2. However, it requires that you specify the field (since the _all field doesn't know about IP addresses).

Steve McLellan (sjmc7)
Changed in searchlight:
assignee: nobody → Steve McLellan (sjmc7)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to searchlight (master)

Fix proposed to branch: master
Review: https://review.openstack.org/382572

Changed in searchlight:
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.