[openstack-dev] [neutron] Neutron should disallow /32 CIDR

Carl Baldwin carl at ecbaldwin.net
Wed Jan 22 03:22:55 UTC 2014


The bottom line is that the method you mentioned shouldn't validate the
subnet. It should assume the subnet has been validated and validate the
pool.  It seems to do a adequate job of that.

Perhaps there is a _validate_subnet method that you should be focused on?
(I'd check but I don't have convenient access to the code at the moment)

Carl
On Jan 21, 2014 6:16 PM, "Paul Ward" <wpward at us.ibm.com> wrote:

> You beat me to it. :)  I just responded about not checking the allocation
> pool start and end but rather, checking subnet_first_ip and subnet_last_ip,
> which is set as follows:
>
>         subnet *=* netaddr*.*IPNetwork(subnet_cidr)
>         subnet_first_ip *=* netaddr*.*IPAddress(subnet*.*first *+* 1)
>         subnet_last_ip *=* netaddr*.*IPAddress(subnet*.*last *-* 1)
>
> However, I'm curious about your contention that we're ok... I'm assuming
> you mean that this should already be handled.   I don't believe anything is
> really checking to be sure the allocation pool leaves room for a gateway, I
> think it just makes sure it fits in the subnet.  A member of our test team
> successfully created a network with a subnet of 255.255.255.255, so it got
> through somehow.  I will look into that more tomorrow.
>
>
>
> Carl Baldwin <carl at ecbaldwin.net> wrote on 01/21/2014 05:27:49 PM:
>
> > From: Carl Baldwin <carl at ecbaldwin.net>
> > To: "OpenStack Development Mailing List (not for usage questions)"
> > <openstack-dev at lists.openstack.org>,
> > Date: 01/21/2014 05:32 PM
> > Subject: Re: [openstack-dev] [neutron] Neutron should disallow /32 CIDR
> >
> > I think there may be some confusion between the two concepts:  subnet
> > and allocation pool.  You are right that an ipv4 subnet smaller than
> > /30 is not useable on a network.
> >
> > However, this method is checking the validity of an allocation pool.
> > These pools should not include room for a gateway nor broadcast
> > address.  Their relation to subnets is that the range of ips contained
> > in the pool must fit within the allocatable IP space on the subnet
> > from which they are allocated.  Other than that, they are simple
> > ranges; they don't need to be cidr aligned or anything.  A pool of a
> > single IP is valid.
> >
> > I just checked the method's implementation now.  It does check that
> > the pool fits within the allocatable range of the subnet.  I think
> > we're good.
> >
> > Carl
> >
> > On Tue, Jan 21, 2014 at 3:35 PM, Paul Ward <wpward at us.ibm.com> wrote:
> > > Currently, NeutronDbPluginV2._validate_allocation_pools() does some
> very
> > > basic checking to be sure the specified subnet is valid.  One thing
> that's
> > > missing is checking for a CIDR of /32.  A subnet with one IP address
> in it
> > > is unusable as the sole IP address will be allocated to the gateway,
> and
> > > thus no IPs are left over to be allocated to VMs.
> > >
> > > The fix for this is simple.  In
> > > NeutronDbPluginV2._validate_allocation_pools(), we'd check for
> start_ip ==
> > > end_ip and raise an exception if that's true.
> > >
> > > I've opened lauchpad bug report 1271311
> > > (https://bugs.launchpad.net/neutron/+bug/1271311) for this, but
> wanted to
> > > start a discussion here to see if others find this enhancement to be a
> > > valuable addition.
> > >
> > >
> > > _______________________________________________
> > > OpenStack-dev mailing list
> > > OpenStack-dev at lists.openstack.org
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140121/73806746/attachment.html>


More information about the OpenStack-dev mailing list