From 548700e815d3b3738d58dd58ec3ffac13c091cfe Mon Sep 17 00:00:00 2001
From: Shih-Hao Li <shihli@vmware.com>
Date: Sat, 10 Sep 2016 11:50:58 -0700
Subject: [PATCH] NSX|V3: check if subnet overlaps with shared address space

NSX backend doesn't allow a subnet in 100.64.0.0/10 range
attached to a router. Thus we enforce this in the plugin
when creating a subnet.

Change-Id: Icf3c62a40744577d29bb052e5b90b5999c0ba7df
---
 vmware_nsx/plugins/nsx_v3/plugin.py         | 13 +++++++++++++
 vmware_nsx/tests/unit/nsx_v3/test_plugin.py | 11 +++++++++++
 2 files changed, 24 insertions(+)

diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index 0cefe823eb..421a4708cc 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -1004,7 +1004,20 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                 LOG.error(_LE("Unable to delete DHCP server mapping for "
                               "network %s"), network_id)
 
+    def _validate_address_space(self, subnet):
+        cidr = subnet.get('cidr')
+        if (not validators.is_attr_set(cidr) or
+            netaddr.IPNetwork(cidr).version != 4):
+            return
+        # Check if subnet overlaps with shared address space.
+        # This is checked on the backend when attaching subnet to a router.
+        if netaddr.IPSet([cidr]) & netaddr.IPSet(['100.64.0.0/10']):
+            msg = _("Subnet overlaps with shared address space 100.64.0.0/10")
+            raise n_exc.InvalidInput(error_message=msg)
+
     def create_subnet(self, context, subnet):
+        self._validate_address_space(subnet['subnet'])
+
         # TODO(berlin): public external subnet announcement
         if (cfg.CONF.nsx_v3.native_dhcp_metadata and
             subnet['subnet'].get('enable_dhcp', False)):
diff --git a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
index a487ce87c2..d37fa2f25b 100644
--- a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
@@ -215,6 +215,17 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin):
             self.assertListEqual(az_hints, zone)
 
 
+class TestSubnetsV2(test_plugin.TestSubnetsV2, NsxV3PluginTestCaseMixin):
+
+    def test_create_subnet_with_shared_address_space(self):
+        with self.network() as network:
+            data = {'subnet': {'network_id': network['network']['id'],
+                               'cidr': '100.64.0.0/16'}}
+            self.assertRaises(n_exc.InvalidInput,
+                              self.plugin.create_subnet,
+                              context.get_admin_context(), data)
+
+
 class TestPortsV2(test_plugin.TestPortsV2, NsxV3PluginTestCaseMixin,
                   test_bindings.PortBindingsTestCase,
                   test_bindings.PortBindingsHostTestCaseMixin,