<p dir="ltr">The bottom line is that the method you mentioned shouldn't validate the subnet. It should assume the subnet has been validated and validate the pool. It seems to do a adequate job of that.</p>
<p dir="ltr">Perhaps there is a _validate_subnet method that you should be focused on? (I'd check but I don't have convenient access to the code at the moment)</p>
<p dir="ltr">Carl</p>
<div class="gmail_quote">On Jan 21, 2014 6:16 PM, "Paul Ward" <<a href="mailto:wpward@us.ibm.com">wpward@us.ibm.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p><font face="sans-serif">You beat me to it. :) I just responded about not checking the allocation pool start and end but rather, checking subnet_first_ip and subnet_last_ip, which is set as follows:</font><br>
<br>
<font size="1" color="#333333" face="Consolas"> subnet </font><font size="1" color="#333333" face="Consolas"><b>=</b></font><font size="1" color="#333333" face="Consolas"> netaddr</font><font size="1" color="#333333" face="Consolas"><b>.</b></font><font size="1" color="#333333" face="Consolas">IPNetwork(subnet_cidr)</font><br>
<font size="1" color="#333333" face="Consolas"> subnet_first_ip </font><font size="1" color="#333333" face="Consolas"><b>=</b></font><font size="1" color="#333333" face="Consolas"> netaddr</font><font size="1" color="#333333" face="Consolas"><b>.</b></font><font size="1" color="#333333" face="Consolas">IPAddress(subnet</font><font size="1" color="#333333" face="Consolas"><b>.</b></font><font size="1" color="#333333" face="Consolas">first </font><font size="1" color="#333333" face="Consolas"><b>+</b></font><font size="1" color="#333333" face="Consolas"> </font><font size="1" color="#009999" face="Consolas">1</font><font size="1" color="#333333" face="Consolas">)</font><br>
<font size="1" color="#333333" face="Consolas"> subnet_last_ip </font><font size="1" color="#333333" face="Consolas"><b>=</b></font><font size="1" color="#333333" face="Consolas"> netaddr</font><font size="1" color="#333333" face="Consolas"><b>.</b></font><font size="1" color="#333333" face="Consolas">IPAddress(subnet</font><font size="1" color="#333333" face="Consolas"><b>.</b></font><font size="1" color="#333333" face="Consolas">last </font><font size="1" color="#333333" face="Consolas"><b>-</b></font><font size="1" color="#333333" face="Consolas"> </font><font size="1" color="#009999" face="Consolas">1</font><font size="1" color="#333333" face="Consolas">)</font><br>
<br>
<font face="sans-serif">However, I'm curious about your contention that we're ok... I'm assuming you mean that this should already be handled. I don't believe anything is really checking to be sure the allocation pool leaves room for a gateway, I think it just makes sure it fits in the subnet. A member of our test team successfully created a network with a subnet of 255.255.255.255, so it got through somehow. I will look into that more tomorrow.<br>
<br>
</font><br>
<br>
<tt><font>Carl Baldwin <<a href="mailto:carl@ecbaldwin.net" target="_blank">carl@ecbaldwin.net</a>> wrote on 01/21/2014 05:27:49 PM:<br>
<br>
> From: Carl Baldwin <<a href="mailto:carl@ecbaldwin.net" target="_blank">carl@ecbaldwin.net</a>></font></tt><br>
<tt><font>> To: "OpenStack Development Mailing List (not for usage questions)" <br>
> <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>>, </font></tt><br>
<tt><font>> Date: 01/21/2014 05:32 PM</font></tt><br>
<tt><font>> Subject: Re: [openstack-dev] [neutron] Neutron should disallow /32 CIDR</font></tt><br>
<tt><font>> <br>
> I think there may be some confusion between the two concepts: subnet<br>
> and allocation pool. You are right that an ipv4 subnet smaller than<br>
> /30 is not useable on a network.<br>
> <br>
> However, this method is checking the validity of an allocation pool.<br>
> These pools should not include room for a gateway nor broadcast<br>
> address. Their relation to subnets is that the range of ips contained<br>
> in the pool must fit within the allocatable IP space on the subnet<br>
> from which they are allocated. Other than that, they are simple<br>
> ranges; they don't need to be cidr aligned or anything. A pool of a<br>
> single IP is valid.<br>
> <br>
> I just checked the method's implementation now. It does check that<br>
> the pool fits within the allocatable range of the subnet. I think<br>
> we're good.<br>
> <br>
> Carl<br>
> <br>
> On Tue, Jan 21, 2014 at 3:35 PM, Paul Ward <<a href="mailto:wpward@us.ibm.com" target="_blank">wpward@us.ibm.com</a>> wrote:<br>
> > Currently, NeutronDbPluginV2._validate_allocation_pools() does some very<br>
> > basic checking to be sure the specified subnet is valid. One thing that's<br>
> > missing is checking for a CIDR of /32. A subnet with one IP address in it<br>
> > is unusable as the sole IP address will be allocated to the gateway, and<br>
> > thus no IPs are left over to be allocated to VMs.<br>
> ><br>
> > The fix for this is simple. In<br>
> > NeutronDbPluginV2._validate_allocation_pools(), we'd check for start_ip ==<br>
> > end_ip and raise an exception if that's true.<br>
> ><br>
> > I've opened lauchpad bug report 1271311<br>
> > (<a href="https://bugs.launchpad.net/neutron/+bug/1271311" target="_blank">https://bugs.launchpad.net/neutron/+bug/1271311</a>) for this, but wanted to<br>
> > start a discussion here to see if others find this enhancement to be a<br>
> > valuable addition.<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > OpenStack-dev mailing list<br>
> > <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> ><br>
> <br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> <br>
</font></tt></p></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div>