[Bug 1934912] Re: Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation

Edward Hope-Morley 1934912 at bugs.launchpad.net
Thu Sep 30 11:16:52 UTC 2021 

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/victoria
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/wallaby
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/xena
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/ussuri
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu Impish)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu Hirsute)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1934912

Title:
  Router update fails for ports with allowed_address_pairs containg IP
  range in CIDR  notation

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive ussuri series:
  New
Status in Ubuntu Cloud Archive victoria series:
  New
Status in Ubuntu Cloud Archive wallaby series:
  New
Status in Ubuntu Cloud Archive xena series:
  New
Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  New
Status in neutron source package in Focal:
  New
Status in neutron source package in Hirsute:
  New
Status in neutron source package in Impish:
  New

Bug description:
  With https://review.opendev.org/c/openstack/neutron/+/792791 neutron build from branch `stable/train` fails to update routers with ports containing an `allowed_address_pair` containing an IP address range in CIDR notation, i.e.:
  ```
  openstack port show 135515bf-6cdf-45d7-affa-c775d2a43ce1 -f value -c allowed_address_pairs
  [{'mac_address': 'fa:16:3e:1e:c4:f1', 'ip_address': '192.168.0.0/16'}]
  ```

  I could not find definitive information on wether this is an allowed
  value for allowed_address_pairs, but at least the openstack/magnum
  project makes use of this.

  Once the above is set neutron-l3-agent logs errors shown in
  http://paste.openstack.org/show/807237/ and connection to all
  resources behind the router stop.

  Steps to reproduce:
  Set up openstack environment with neutron build from git branch stable/train with OVS, DVR and router HA in a multinode deployment on ubuntu bionic.

  Create a test environment:
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  ping <floating ip>

  Observe loss of ping after setting allowed_address_pairs.
  Revert https://review.opendev.org/c/openstack/neutron/+/792791 and redeploy neutron
  ping <floating ip>
  Observe reestablishment of the connection.

  Please let me know if you need any other information


  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  SRU:

  [Impact]
  VM with floating ip are unreachable from external

  [Test Case]
  Create a test environment on bionic ussuri
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  openstack router set --disable <router>
  openstack router set --enable <router>
  ping <floating ip>

  # ping should be successful after router is enabled.

  [Regression Potential]
  The only possibilities for allowed_address_pair are either IP or a CIDR. There is no chance of garbage values since it is verified during port update with allowed_address_pair. The edge case of IP with CIDR notation like /32 are already covered in common_utils.is_cidr_host() function call. All the upstream CI builds until stable/ussuri are successful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1934912/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list