Hi Aaron,
I reported it as a bug with bit more details:
https://bugs.launchpad.net/neutron/+bug/1321864. The report has examples
showing the incompleteness in the overlap check due to cidr notation
allowed in the allowed address pairs API.
Cheers,
Praveen
On Tue, May 20, 2014 at 7:54 PM, Aaron
Hi Praveen,
I think we should fix the update_method instead to properly check for this.
I don't see any advantage to allow the fixed_ips/mac to be in the
allowed_address_pairs since they are explicitly allowed. What's your
motivation for changing this?
Aaron
On Mon, May 19, 2014 at 4:05 PM,
Hi Aaron,
The main motivation is simplicity. Consider the case where we want to allow
ip cidr 10.10.1.0/24 to be allowed on a port which has a fixed IP of
10.10.1.1. Now if we do not want to allow overlapping, then one needs to
add 8 cidrs to get around this - (10.10.1.128/25, 10.10.1.64/26,
arosen@arosen-MacBookPro:~/devstack$ neutron port-show
f5117013-ac04-45af-a5d6-e9110213ad6f
+---+--+
| Field | Value
|
Hi Praveen,
I think there is some confusion here. This function doesn't check if there
is any overlap that occurs within the cidr block. It only checks that the
fixed_ips+mac don't overlap with an allowed address pair. In your example
if the host has an ip_address of 10.10.1.1 and you want to
Hi Aaron,
In OVS and ML2 plugins, on port-update, there is a check to make sure that
allowed-address-pairs and fixed-ips don't overlap. Can you please explain
why that is needed?
- icehouse final: neutron/plugins/ml2/plugin.py
677 elif changed_fixed_ips:
Hi,
Sure, if you look at this method:
def _check_fixed_ips_and_address_pairs_no_overlap(self, context, port):
address_pairs = self.get_allowed_address_pairs(context, port['id'])
for fixed_ip in port['fixed_ips']:
for address_pair in address_pairs:
Hi Aaron,
Thanks for the prompt response.
If the overlap does not have any negative effect, can we please just remove
this check? It creates confusion as there are certain code paths where we
do not perform this check. For example, the current code does NOT perform
this check when we are
I'd still like the simpler and more general purpose 'disable spoofing'
option as well. That doesn't allow MAC spoofing and it doesn't work
for what I'm up to.
Read the document properly, Ian. I take back the MAC spoofing
comment, but it still won't work for what I'm up to ;)
On 18 July 2013 00:45, Aaron Rosen aro...@nicira.com wrote:
Hi Ian,
For shared networks if the network is set to port_security_enabled=True then
the tenant will not be able to remove port_security_enabled from their port
if they are not the owner of the network. I believe this is the correct
On 18 July 2013 19:48, Aaron Rosen aro...@nicira.com wrote:
Is there something this is missing that could be added to cover your use
case? I'd be curious to hear where this doesn't work for your case. One
would need to implement the port_security extension if they want to
completely allow all
Yup:
I'm definitely happy to review and give hints.
Blueprint:
https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit
https://review.openstack.org/#/c/19279/ patch that merged the feature;
Aaron
On Thu, Jul 18, 2013 at 5:15 PM, Ian Wells ijw.ubu...@cack.org.uk
On Jul 4, 2013, at 8:26 PM, Ian Wells ijw.ubu...@cack.org.uk wrote:
On 4 July 2013 23:42, Robert Collins robe...@robertcollins.net wrote:
Seems like a tweak would be to identify virtual IPs as separate to the
primary IP on a port:
you don't need to permit spoofing of the actual host IP for
13 matches
Mail list logo
