[openstack-dev] [neutron] Neutron should disallow /32 CIDR

Paul Ward wpward at us.ibm.com
Wed Jan 22 01:10:33 UTC 2014

You beat me to it. :)  I just responded about not checking the allocation
pool start and end but rather, checking subnet_first_ip and subnet_last_ip,
which is set as follows:

        subnet = netaddr.IPNetwork(subnet_cidr)
        subnet_first_ip = netaddr.IPAddress(subnet.first + 1)
        subnet_last_ip = netaddr.IPAddress(subnet.last - 1)

However, I'm curious about your contention that we're ok... I'm assuming
you mean that this should already be handled.   I don't believe anything is
really checking to be sure the allocation pool leaves room for a gateway, I
think it just makes sure it fits in the subnet.  A member of our test team
successfully created a network with a subnet of, so it got
through somehow.  I will look into that more tomorrow.

Carl Baldwin <carl at ecbaldwin.net> wrote on 01/21/2014 05:27:49 PM:

> From: Carl Baldwin <carl at ecbaldwin.net>
> To: "OpenStack Development Mailing List (not for usage questions)"
> <openstack-dev at lists.openstack.org>,
> Date: 01/21/2014 05:32 PM
> Subject: Re: [openstack-dev] [neutron] Neutron should disallow /32 CIDR
> I think there may be some confusion between the two concepts:  subnet
> and allocation pool.  You are right that an ipv4 subnet smaller than
> /30 is not useable on a network.
> However, this method is checking the validity of an allocation pool.
> These pools should not include room for a gateway nor broadcast
> address.  Their relation to subnets is that the range of ips contained
> in the pool must fit within the allocatable IP space on the subnet
> from which they are allocated.  Other than that, they are simple
> ranges; they don't need to be cidr aligned or anything.  A pool of a
> single IP is valid.
> I just checked the method's implementation now.  It does check that
> the pool fits within the allocatable range of the subnet.  I think
> we're good.
> Carl
> On Tue, Jan 21, 2014 at 3:35 PM, Paul Ward <wpward at us.ibm.com> wrote:
> > Currently, NeutronDbPluginV2._validate_allocation_pools() does some
> > basic checking to be sure the specified subnet is valid.  One thing
> > missing is checking for a CIDR of /32.  A subnet with one IP address in
> > is unusable as the sole IP address will be allocated to the gateway,
> > thus no IPs are left over to be allocated to VMs.
> >
> > The fix for this is simple.  In
> > NeutronDbPluginV2._validate_allocation_pools(), we'd check for start_ip
> > end_ip and raise an exception if that's true.
> >
> > I've opened lauchpad bug report 1271311
> > (https://bugs.launchpad.net/neutron/+bug/1271311) for this, but wanted
> > start a discussion here to see if others find this enhancement to be a
> > valuable addition.
> >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140121/73854185/attachment.html>

More information about the OpenStack-dev mailing list