feat(neutron): enforce address scope on SVI router interfaces#2090
Open
nidzrai wants to merge 1 commit into
Open
feat(neutron): enforce address scope on SVI router interfaces#2090nidzrai wants to merge 1 commit into
nidzrai wants to merge 1 commit into
Conversation
nidzrai
force-pushed
the
svi-address-scope-validation
branch
from
e367975 to
fe06a92
Compare
nidzrai
changed the title
nidzrai
force-pushed
the
svi-address-scope-validation
branch
4 times, most recently
from
550950a to
549a255
Compare
nidzrai
force-pushed
the
svi-address-scope-validation
branch
2 times, most recently
from
2701235 to
9d28709
Compare
Validate that subnets attached to an SVI-flavored router belong to an address scope, and that all subnets on a router share one scope per IP version. Two layers: - create_port_precommit gate (validate_svi_router_port) rejects invalid subnets before VLAN/trunk/Undersync work runs in postcommit - ROUTER_INTERFACE BEFORE_CREATE callback as a safety net SVI detection goes through a single helper shared by both paths.
nidzrai
force-pushed
the
svi-address-scope-validation
branch
from
9d28709 to
251d318
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds validation for SVI router interface attachments
Reject SVI router interface attach if the target subnet has no subnetpool/address scope.
Reject SVI router interface attach if the target subnet’s address scope differs from an existing subnet on the same SVI router for the same IP version.
Track IPv4 and IPv6 scopes independently, since Neutron address scopes are IP-version specific.
Validate both attach paths:
openstack router add subnet
openstack router add port
Returns BadRequest/HTTP 400 before UnderStack VLAN/trunk/OVN postcommit work runs.
9 ERROR neutron.plugins.ml2.managers [None req-2cf36d50-a219-49d9-88ae-afc5dd289c40 684d9ee39a5f3fac9239338ed3026116d96dd6267e9aeb631fb2c4eb9c160f2b 32e02632f4f04415bab5895d1e7247b7 - - 1f75c3b20fcb41ec924a71be83a5ee94 7f46f53fcb3c4625a343eaa35b5e0d04] Mechanism driver 'understack' failed in create_port_precommit: neutron_lib.exceptions.BadRequest: Bad router request: Cannot attach subnet ['eddc071b-1104-44ef-b0ca-a15ad37925c8']: its IPv4 address scope 'ad6692e5-9491-44a3-b16b-11ee3fc88f75' differs from scope '408174d2-cdeb-492c-af08-5d42ad346fdb' already in use on router 388585b5-ee2d-4bf9-baec-499fc45dc302..Validation Error
9 ERROR neutron.plugins.ml2.managers Traceback (most recent call last): 9 ERROR neutron.plugins.ml2.managers File "/var/lib/openstack/lib/python3.12/site-packages/neutron/plugins/ml2/managers.py", line 500, in _call_on_drivers 9 ERROR neutron.plugins.ml2.managers getattr(driver.obj, method_name)(context) 9 ERROR neutron.plugins.ml2.managers File "/var/lib/openstack/lib/python3.12/site-packages/neutron_understack/neutron_understack_mech.py", line 157, in create_port_precommit 9 ERROR neutron.plugins.ml2.managers checked = svi_router.validate_svi_router_port( 9 ERROR neutron.plugins.ml2.managers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 9 ERROR neutron.plugins.ml2.managers File "/var/lib/openstack/lib/python3.12/site-packages/neutron_understack/l3_router/svi.py", line 274, in validate_svi_router_port 9 ERROR neutron.plugins.ml2.managers new_scopes = _validate_address_scope_rules( 9 ERROR neutron.plugins.ml2.managers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 9 ERROR neutron.plugins.ml2.managers File "/var/lib/openstack/lib/python3.12/site-packages/neutron_understack/l3_router/svi.py", line 204, in _validate_address_scope_rules 9 ERROR neutron.plugins.ml2.managers raise n_exc.BadRequest( 9 ERROR neutron.plugins.ml2.managers neutron_lib.exceptions.BadRequest: Bad router request: Cannot attach subnet ['eddc071b-1104-44ef-b0ca-a15ad37925c8']: its IPv4 address scope 'ad6692e5-9491-44a3-b16b-11ee3fc88f75' differs from scope '408174d2-cdeb-492c-af08-5d42ad346fdb' already in use on router 388585b5-ee2d-4bf9-baec-499fc45dc302.. 9 ERRORneutron.plugins.ml2.managers``