Public bug reported: Currently a user can allocate the gateway ip of an external network as a floating ip. This is possible, as the only validation on a user specified ip address is done by the ipam module, which checks that an ip is in the range of the subnet(s) and that it is not already allocated. Because OpenStack has no port for the external gateway the subnet of an external network is marked as free.
This is a problem because now a user can allocate an IP address that might be otherwise in use (externally of OpenStack / inside a provider network). Depending on the network plugins used, the user could either end up with an unusable floating ip or (in the worst case) create something that arps for this IP and redirects traffic away from the original gateway, causing an outage. Therefore I propose we forbid users from allocating floatingips that are also the gateway ip in a floating ip network. Note that OpenStack would not allocate the gateway ip itself, as it only allocates from the subnet's allocation pool by default. To fix this I'd propose we either explicitly deny using the gateway ip or require the user-specified IP for a subnet to be from the allocation pool. I'd be happy to provide a patch once we have decided how to approach this. This can be recreated with a simple cli command: openstack floating ip create $fip_network --floating-ip-address $gateway_ip_of_subnet A similar bug was filed and fixed for putting routers into provider networks: https://bugs.launchpad.net/neutron/+bug/1757482 Breaking testcase (neutron/tests/unit/extensions/test_l3.py): class L3NatTestCaseBase(L3NatTestCaseMixin): def test_create_floatingip_on_external_subnet_gateway_fails(self): with self.subnet(cidr='11.0.0.0/24') as public_sub: self._set_net_external(public_sub['subnet']['network_id']) self._make_floatingip( self.fmt, public_sub['subnet']['network_id'], floating_ip=public_sub['subnet']['gateway_ip'], http_status=exc.HTTPBadRequest.code) Preliminary discussion in IRC: https://meetings.opendev.org/irclogs/%23openstack-neutron/%23openstack-neutron.2022-02-01.log.html#t2022-02-01T15:02:10 ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1959699 Title: Disallow users to allocate gateway ip of external subnets as floating ip Status in neutron: New Bug description: Currently a user can allocate the gateway ip of an external network as a floating ip. This is possible, as the only validation on a user specified ip address is done by the ipam module, which checks that an ip is in the range of the subnet(s) and that it is not already allocated. Because OpenStack has no port for the external gateway the subnet of an external network is marked as free. This is a problem because now a user can allocate an IP address that might be otherwise in use (externally of OpenStack / inside a provider network). Depending on the network plugins used, the user could either end up with an unusable floating ip or (in the worst case) create something that arps for this IP and redirects traffic away from the original gateway, causing an outage. Therefore I propose we forbid users from allocating floatingips that are also the gateway ip in a floating ip network. Note that OpenStack would not allocate the gateway ip itself, as it only allocates from the subnet's allocation pool by default. To fix this I'd propose we either explicitly deny using the gateway ip or require the user-specified IP for a subnet to be from the allocation pool. I'd be happy to provide a patch once we have decided how to approach this. This can be recreated with a simple cli command: openstack floating ip create $fip_network --floating-ip-address $gateway_ip_of_subnet A similar bug was filed and fixed for putting routers into provider networks: https://bugs.launchpad.net/neutron/+bug/1757482 Breaking testcase (neutron/tests/unit/extensions/test_l3.py): class L3NatTestCaseBase(L3NatTestCaseMixin): def test_create_floatingip_on_external_subnet_gateway_fails(self): with self.subnet(cidr='11.0.0.0/24') as public_sub: self._set_net_external(public_sub['subnet']['network_id']) self._make_floatingip( self.fmt, public_sub['subnet']['network_id'], floating_ip=public_sub['subnet']['gateway_ip'], http_status=exc.HTTPBadRequest.code) Preliminary discussion in IRC: https://meetings.opendev.org/irclogs/%23openstack-neutron/%23openstack-neutron.2022-02-01.log.html#t2022-02-01T15:02:10 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1959699/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
