Hi Aaron,
I reported it as a bug with bit more details:
https://bugs.launchpad.net/neutron/+bug/1321864. The report has examples
showing the incompleteness in the overlap check due to cidr notation
allowed in the allowed address pairs API.
Cheers,
Praveen
On Tue, May 20, 2014 at 7:54 PM, Aaron
Hi Praveen,
I think there is some confusion here. This function doesn't check if there
is any overlap that occurs within the cidr block. It only checks that the
fixed_ips+mac don't overlap with an allowed address pair. In your example
if the host has an ip_address of 10.10.1.1 and you want to allo
arosen@arosen-MacBookPro:~/devstack$ neutron port-show
f5117013-ac04-45af-a5d6-e9110213ad6f
+---+--+
| Field | Value
|
+---+
Hi Aaron,
The main motivation is simplicity. Consider the case where we want to allow
ip cidr 10.10.1.0/24 to be allowed on a port which has a fixed IP of
10.10.1.1. Now if we do not want to allow overlapping, then one needs to
add 8 cidrs to get around this - (10.10.1.128/25, 10.10.1.64/26,
10.10
Hi Praveen,
I think we should fix the update_method instead to properly check for this.
I don't see any advantage to allow the fixed_ips/mac to be in the
allowed_address_pairs since they are explicitly allowed. What's your
motivation for changing this?
Aaron
On Mon, May 19, 2014 at 4:05 PM, Pra
Hi Aaron,
Thanks for the prompt response.
If the overlap does not have any negative effect, can we please just remove
this check? It creates confusion as there are certain code paths where we
do not perform this check. For example, the current code does NOT perform
this check when we are updating
Hi,
Sure, if you look at this method:
def _check_fixed_ips_and_address_pairs_no_overlap(self, context, port):
address_pairs = self.get_allowed_address_pairs(context, port['id'])
for fixed_ip in port['fixed_ips']:
for address_pair in address_pairs:
Hi Aaron,
In OVS and ML2 plugins, on port-update, there is a check to make sure that
allowed-address-pairs and fixed-ips don't overlap. Can you please explain
why that is needed?
- icehouse final: neutron/plugins/ml2/plugin.py
677 elif changed_fixed_ips:
678
Yup:
I'm definitely happy to review and give hints.
Blueprint:
https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit
https://review.openstack.org/#/c/19279/ < patch that merged the feature;
Aaron
On Thu, Jul 18, 2013 at 5:15 PM, Ian Wells wrote:
> On 18 July 2
On 18 July 2013 19:48, Aaron Rosen wrote:
> Is there something this is missing that could be added to cover your use
> case? I'd be curious to hear where this doesn't work for your case. One
> would need to implement the port_security extension if they want to
> completely allow all ips/macs to p
Is there something this is missing that could be added to cover your use
case? I'd be curious to hear where this doesn't work for your case. One
would need to implement the port_security extension if they want to
completely allow all ips/macs to pass and they could state which ones are
explicitly
On 18 July 2013 00:45, Aaron Rosen wrote:
> Hi Ian,
>
> For shared networks if the network is set to port_security_enabled=True then
> the tenant will not be able to remove port_security_enabled from their port
> if they are not the owner of the network. I believe this is the correct
> behavior we
> I'd still like the simpler and more general purpose 'disable spoofing'
> option as well. That doesn't allow MAC spoofing and it doesn't work
> for what I'm up to.
Read the document properly, Ian. I take back the MAC spoofing
comment, but it still won't work for what I'm up to ;)
_
Hi Ian,
For shared networks if the network is set to port_security_enabled=True
then the tenant will not be able to remove port_security_enabled from their
port if they are not the owner of the network. I believe this is the
correct behavior we want. In addition, only admin's are able to create
sh
On 10 July 2013 21:14, Vishvananda Ishaya wrote:
>> It used to be essential back when we had nova-network and all tenants
>> ended up on one network. It became less useful when tenants could
>> create their own networks and could use them as they saw fit.
>>
>> It's still got its uses - for insta
On Jul 4, 2013, at 8:26 PM, Ian Wells wrote:
> On 4 July 2013 23:42, Robert Collins wrote:
>> Seems like a tweak would be to identify virtual IPs as separate to the
>> primary IP on a port:
>> you don't need to permit spoofing of the actual host IP for each host in
>> the HA cluster; you just n
16 matches
Mail list logo