Skip to content

feat(neutron): enforce address scope on SVI router interfaces#2090

Open
nidzrai wants to merge 1 commit into
mainfrom
svi-address-scope-validation
Open

feat(neutron): enforce address scope on SVI router interfaces#2090
nidzrai wants to merge 1 commit into
mainfrom
svi-address-scope-validation

Conversation

@nidzrai

@nidzrai nidzrai commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

This PR enforces address-scope validation for SVI-flavored routers.

SVI router interfaces should only be attached to subnets that belong to an address scope. In addition, all attached subnets for the same IP version on a single SVI router must use the same address scope.

What Changed

  • Added SVI router detection based on the router flavor provider driver.
  • Added shared SVI address-scope validation logic.
  • Validates new router-interface subnets before UnderStack VLAN/trunk/OVN postcommit work.
  • Validates both router interface attach paths:
    • openstack router add subnet
    • openstack router add port
  • Tracks IPv4 and IPv6 scopes independently.
  • Returns BadRequest / HTTP 400 for invalid SVI attachments.
  • Added logs for precommit validation and callback validation, including attach_mode=subnet / attach_mode=port.
  • Added unit tests for valid and invalid scope scenarios.

Validation Rules

For SVI routers:

  1. A subnet must have a subnetpool.
  2. The subnetpool must have an address_scope_id.
  3. Same-IP-version subnets attached to the same SVI router must use the same address scope.
  4. IPv4 and IPv6 are evaluated independently.
  5. Non-SVI routers are not affected.

iad-dev Smoke Testing

Validate both attach paths:
openstack router add subnet
openstack router add port

case 1 : SVI + No Scope Fails
openstack router add subnet nidhi-svi-2090-svi-router nidhi-svi-2090-noscope-subnet
error : BadRequestException: 400: Client Error for url: https://neutron.iad3-dev.undercloud.rackspace.net/v2.0/routers/d2efb479-3b96-4fa2-8c45-adf1d1b71791/add_router_interface, Bad router request: Subnet 42eee879-1137-4e66-9346-a059508f5358 must belong to an address scope to attach to an SVI router..

case 2: SVI + First Scoped Subnet Passes
openstack router add subnet nidhi-svi-2090-svi-router nidhi-svi-2090-scope-a-subnet-1

 openstack router show nidhi-svi-2090-svi-router -c interfaces_info
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                  |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------+
| interfaces_info | [{"port_id": "0ea0b12a-1b28-4b05-a63f-a49104363011", "ip_address": "10.209.0.1", "subnet_id": "e2250b20-69a0-4f95-b488-05bccca33773"}] |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------+
(openstack)

Case 3: SVI + Same Scope Passes

openstack router add subnet nidhi-svi-2090-svi-router nidhi-svi-2090-scope-a-subnet-2

~ 🐍 openstack on ☁️  uc-dev-infra(baremetal) took 5s
❯ openstack router show   nidhi-svi-2090-svi-router -c interfaces_info

+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                    |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| interfaces_info | [{"port_id": "0ea0b12a-1b28-4b05-a63f-a49104363011", "ip_address": "10.209.0.1", "subnet_id": "e2250b20-69a0-4f95-b488-05bccca33773"}, {"port_id":       |
|                 | "9093a111-b0a2-4a57-9b3b-d7dda08e7fd9", "ip_address": "10.209.1.1", "subnet_id": "d0ba5ca9-8037-4b1a-ad99-92cd8364e33c"}]                                |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
(openstack)```

case 4 : SVI + Different Scope Fails
openstack router add subnet nidhi-svi-2090-svi-router nidhi-svi-2090-scope-b-subnet

❯ openstack router add subnet ${PFX}-svi-router ${PFX}-scope-b-subnet
BadRequestException: 400: Client Error for url: https://neutron.iad3-dev.undercloud.rackspace.net/v2.0/routers/d2efb479-3b96-4fa2-8c45-adf1d1b71791/add_router_interface, Bad router request: Cannot attach subnet ['2192faae-8f14-43da-8ffe-0fe784b4b603']: its IPv4 address scope '4b628923-ad0d-4c31-ace4-b66cf05a283a' differs from scope 'ebdaf7d8-eb39-4703-803d-6f3b81c3df89' already in use on router d2efb479-3b96-4fa2-8c45-adf1d1b71791..

neutron-server pod log

2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers Traceback (most recent call last):
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers   File "/var/lib/openstack/lib/python3.12/site-packages/neutron/plugins/ml2/managers.py", line 500, in _call_on_drivers
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers     getattr(driver.obj, method_name)(context)
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers   File "/var/lib/openstack/lib/python3.12/site-packages/neutron_understack/neutron_understack_mech.py", line 116, in create_port_precommit
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers     checked = svi_router.validate_svi_router_port(
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers   File "/var/lib/openstack/lib/python3.12/site-packages/neutron_understack/l3_router/svi.py", line 290, in validate_svi_router_port
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers     new_scopes = _validate_address_scope_rules(
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers   File "/var/lib/openstack/lib/python3.12/site-packages/neutron_understack/l3_router/svi.py", line 215, in _validate_address_scope_rules
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers     raise n_exc.BadRequest(
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers neutron_lib.exceptions.BadRequest: Bad router request: Cannot attach subnet ['2192faae-8f14-43da-8ffe-0fe784b4b603']: its IPv4 address scope '4b628923-ad0d-4c31-ace4-b66cf05a283a' differs from scope 'ebdaf7d8-eb39-4703-803d-6f3b81c3df89' already in use on router d2efb479-3b96-4fa2-8c45-adf1d1b71791..
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers
2026-06-23 13:19:31.159 9 ERROR neutron.plugins.ml2.managers [None req-0f3d6414-8fa1-4a98-9eaf-4d547ba77d5c 684d9ee39a5f3fac9239338ed3026116d96dd6267e9aeb631fb2c4eb9c160f2b 32e02632f4f04415bab5895d1e7247b7 - - 1f75c3b20fcb41ec924a71be83a5ee94 7f46f53fcb3c4625a343eaa35b5e0d04] Mechanism driver 'understack' failed in create_port_precommit: neutron_lib.exceptions.BadRequest: Bad router request: Cannot attach subnet ['2192faae-8f14-43da-8ffe-0fe784b4b603']: its IPv4 address scope '4b628923-ad0d-4c31-ace4-b66cf05a283a' differs from scope 'ebdaf7d8-eb39-4703-803d-6f3b81c3df89' already in use on router d2efb479-3b96-4fa2-8c45-adf1d1b71791..

case 5: ~ 🐍 openstack on ☁️ uc-dev-infra(baremetal) took 7s
❯ openstack port create --network nidhi-svi-2090-noscope-net nidhi-svi-2090-noscope-port

❯ openstack router add port ${PFX}-svi-router ${PFX}-noscope-port
ConflictException: 409: Client Error for url: https://neutron.iad3-dev.undercloud.rackspace.net/v2.0/routers/d2efb479-3b96-4fa2-8c45-adf1d1b71791/add_router_interface, Error cannot perform router interface attachment due to Callback neutron_understack.l3_router.svi.Svi._validate_svi_router_interface-186890 failed with "Bad router request: Subnet 42eee879-1137-4e66-9346-a059508f5358 must belong to an address scope to attach to an SVI router.." while attempting the operation.
(openstack)

**Successful Port Add test **

~ 🐍 openstack on ☁️  uc-dev-infra(baremetal) took 7s
❯ openstack router add port nidhi-svi-2090-port-router nidhi-svi-2090-port-port-a
(openstack)
~ 🐍 openstack on ☁️  uc-dev-infra(baremetal) took 7s
❯ openstack router show nidhi-svi-2090-port-router -c interfaces_info
openstack port show nidhi-svi-2090-port-port-a -c id -c name -c device_owner -c device_id -c fixed_ips
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                    |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+
| interfaces_info | [{"port_id": "73fd02df-fa0e-4e08-9601-77d208b2da1a", "ip_address": "10.209.2.223", "subnet_id": "81f093e9-209b-406f-8e56-de58ff8ef5db"}] |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+
+--------------+-----------------------------------------------------------------------------+
| Field        | Value                                                                       |
+--------------+-----------------------------------------------------------------------------+
| device_id    | 1419eb91-5be7-4842-902d-b8ac93c7b2f7                                        |
| device_owner | network:router_interface                                                    |
| fixed_ips    | ip_address='10.209.2.223', subnet_id='81f093e9-209b-406f-8e56-de58ff8ef5db' |
| id           | 73fd02df-fa0e-4e08-9601-77d208b2da1a                                        |
| name         | nidhi-svi-2090-port-port-a                                                  |
+--------------+-----------------------------------------------------------------------------+
(openstack)

@nidzrai nidzrai marked this pull request as draft June 22, 2026 09:53
@nidzrai nidzrai force-pushed the svi-address-scope-validation branch from e367975 to fe06a92 Compare June 22, 2026 13:19
@nidzrai nidzrai changed the title Svi address scope validation feat(neutron): enforce address scope on SVI router interfaces Jun 22, 2026
@nidzrai nidzrai force-pushed the svi-address-scope-validation branch 4 times, most recently from 550950a to 549a255 Compare June 22, 2026 17:16
@nidzrai nidzrai marked this pull request as ready for review June 23, 2026 10:34
@nidzrai nidzrai force-pushed the svi-address-scope-validation branch 3 times, most recently from 9d28709 to 251d318 Compare June 23, 2026 12:32
@nidzrai
feat(neutron): enforce address scope on SVI router interfaces
0a50de6 
Validate that subnets attached to an SVI-flavored router belong to an
address scope, and that all subnets on a router share one scope per IP
version. Two layers:

- create_port_precommit gate (validate_svi_router_port) rejects invalid
  subnets before VLAN/trunk/Undersync work runs in postcommit
- ROUTER_INTERFACE BEFORE_CREATE callback as a safety net

SVI detection goes through a single helper shared by both paths.
@nidzrai nidzrai force-pushed the svi-address-scope-validation branch from 251d318 to 0a50de6 Compare June 23, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nidzrai