neutron

Router gets address allocation from all new gw subnets

Bug #1438819 reported by Andrew Boik
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Andrew Boik
neutron 7.0.0 "liberty"
Kilo
New
Undecided
Unassigned

Bug Description

When a new subnet is created on an external network, all existing routers with gateways on the network will get a new address allocated from it. This could be pretty bad for IPv4 networks where the addresses are scarce and therefore valuable. In some cases, the entire new subnet could be consumed by router gateway ports alone.

Adding an IP address replaces the default route on a Neutron router. In Kilo, Neutron now automatically allocates an IP address for the WAN interface on Neutron routers when a subnet on the external network is created. Previously, there was a check to allow a maximum of one IP address on a Neutron router gateway port. This check, however, was removed, and this patch replaces that check and allows one IPv6 address in addition to the IPv4 address to support dual-stack.

The combination of the automatic update of a router gateway port upon creation of a subnet and the absence of a check on the number of fixed IPs causes a change in behavior to that of Neutron in the Juno release.

An issue is that creation of a subnet with a gateway IP on the external network replaces all default routes of Neutron routers on that network. This is not the behavior operators expect based on previous releases, and is most likely not the behavior they want - and as a result it could cause loss of external connectivity to tenants based on the network configuration.

We need to validate a router's gateway port during creation and update of a router gateway port by ensuring it has no more than one v4 fixed IP and one v6 fixed IP.

See original description
Andrew Boik (drewboik)
Changed in neutron:
assignee: nobody → Andrew Boik (drewboik)
status: New → In Progress
Revision history for this message
Andrew Boik (drewboik) wrote :

https://review.openstack.org/#/c/167784/

Edgar Magana (emagana)
Changed in neutron:
importance: Undecided → Medium
Andrew Boik (drewboik)
tags: added: kilo-backport-potential kilo-rc-potential
description: updated
description: updated
tags: removed: kilo-backport-potential
Kyle Mestery (mestery)
Changed in neutron:
milestone: none → liberty-1
Andrew Boik (drewboik)
tags: added: kilo-backport-potential
Revision history for this message
Kyle Mestery (mestery) wrote :

Bumping priority, this seems like a troubling issue.

Changed in neutron:
importance: Medium → High
Revision history for this message
Carl Baldwin (carl-baldwin) wrote :

Looks like this started with https://review.openstack.org/#/c/161085

Carl Baldwin (carl-baldwin)
summary: - Validate number of addresses for router GW port
+ Router gw gets address allocation from all new subnets
summary: - Router gw gets address allocation from all new subnets
+ Router gets address allocation from all new gw subnets
Carl Baldwin (carl-baldwin)
description: updated
tags: added: l3-ipam-dhcp
Thierry Carrez (ttx)
tags: removed: kilo-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/167784
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1bfd86e1ef7148370798aa99c868d7f931fcbf78
Submitter: Jenkins
Branch: master

commit 1bfd86e1ef7148370798aa99c868d7f931fcbf78
Author: Andrew Boik <email address hidden>
Date: Wed Mar 25 16:05:41 2015 -0400

    Limit router gw ports' stateful fixed IPs to one per address family

    Validate a router's gateway port during a router update by ensuring
    it has no more than one v4 fixed IP and one v6 (statefully-assigned)
    fixed IP.

    Note that there is no limit on v6 addresses from SLAAC and
    DHCPv6-stateless subnets as they are automatically allocated.

    Change-Id: I6a328048b99af39ab9497fd9f265d1a9b95b7148
    Closes-Bug: 1438819
    Partially-implements: blueprint multiple-ipv6-prefixes

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/181690

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/kilo)

Reviewed: https://review.openstack.org/181690
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=95d0985f5e8442d88e1495b1fbe4a2ddc32e8f21
Submitter: Jenkins
Branch: stable/kilo

commit 95d0985f5e8442d88e1495b1fbe4a2ddc32e8f21
Author: Andrew Boik <email address hidden>
Date: Wed Mar 25 16:05:41 2015 -0400

    Limit router gw ports' stateful fixed IPs to one per address family

    Validate a router's gateway port during a router update by ensuring
    it has no more than one v4 fixed IP and one v6 (statefully-assigned)
    fixed IP.

    Note that there is no limit on v6 addresses from SLAAC and
    DHCPv6-stateless subnets as they are automatically allocated.

    Change-Id: I6a328048b99af39ab9497fd9f265d1a9b95b7148
    Closes-Bug: 1438819
    Partially-implements: blueprint multiple-ipv6-prefixes
    (cherry picked from commit 1bfd86e1ef7148370798aa99c868d7f931fcbf78)

tags: added: in-stable-kilo
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.