yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #24119
[Bug 1386041] [NEW] can't connect external network using default snat from tenant network
Public bug reported:
See the following example:
---
------+----------------- external network 192.168.10.0/24
|
| 192.168.10.10
+---+---+
| r1 | routes [{nexthop: 10.0.0.2, destination: 20.0.0.0/24}]
+---+---+
| 10.0.0.1
|
-----+-----+----------- tenant network1 10.0.0.0/24 (gw: 10.0.0.1)
|
| 10.0.0.2
+---+---+
| r2 | routes [{nexthop: 10.0.0.1, destination: 0.0.0.0/0}]
+---+---+
| 20.0.0.1
|
-----------+------------ tenant network2 20.0.0.0/24 (gw: 20.0.0.1)
---
Users want to access external network from tenant network2 using default SNAT but can't access.
(tenant network2 is connected to r1 indirectly and set routes properly.)
Users can access external network only from tenant network1 (it is directly connected to r1) currently.
I think it is a bug since this restriction is unnecessary.
It is easy to fix. How about this ?
---
diff --git a/neutron/agent/l3_agent.py b/neutron/agent/l3_agent.py
index ff8ad47..097fa36 100644
--- a/neutron/agent/l3_agent.py
+++ b/neutron/agent/l3_agent.py
@@ -1445,9 +1445,8 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback,
rules = [('POSTROUTING', '! -i %(interface_name)s '
'! -o %(interface_name)s -m conntrack ! '
'--ctstate DNAT -j ACCEPT' %
- {'interface_name': interface_name})]
- for cidr in internal_cidrs:
- rules.extend(self.internal_network_nat_rules(ex_gw_ip, cidr))
+ {'interface_name': interface_name}),
+ ('snat', '-j SNAT --to-source %s' % ex_gw_ip)]
return rules
def _snat_redirect_add(self, ri, gateway, sn_port, sn_int):
@@ -1560,11 +1559,6 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback,
self.driver.unplug(interface_name, namespace=ri.ns_name,
prefix=INTERNAL_DEV_PREFIX)
- def internal_network_nat_rules(self, ex_gw_ip, internal_cidr):
- rules = [('snat', '-s %s -j SNAT --to-source %s' %
- (internal_cidr, ex_gw_ip))]
- return rules
-
def _create_agent_gateway_port(self, ri, network_id):
"""Create Floating IP gateway port.
---
** Affects: neutron
Importance: Undecided
Status: New
** Tags: l3-ipam-dhcp
** Tags added: l3-ipam-dhcp
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1386041
Title:
can't connect external network using default snat from tenant network
Status in OpenStack Neutron (virtual network service):
New
Bug description:
See the following example:
---
------+----------------- external network 192.168.10.0/24
|
| 192.168.10.10
+---+---+
| r1 | routes [{nexthop: 10.0.0.2, destination: 20.0.0.0/24}]
+---+---+
| 10.0.0.1
|
-----+-----+----------- tenant network1 10.0.0.0/24 (gw: 10.0.0.1)
|
| 10.0.0.2
+---+---+
| r2 | routes [{nexthop: 10.0.0.1, destination: 0.0.0.0/0}]
+---+---+
| 20.0.0.1
|
-----------+------------ tenant network2 20.0.0.0/24 (gw: 20.0.0.1)
---
Users want to access external network from tenant network2 using default SNAT but can't access.
(tenant network2 is connected to r1 indirectly and set routes properly.)
Users can access external network only from tenant network1 (it is directly connected to r1) currently.
I think it is a bug since this restriction is unnecessary.
It is easy to fix. How about this ?
---
diff --git a/neutron/agent/l3_agent.py b/neutron/agent/l3_agent.py
index ff8ad47..097fa36 100644
--- a/neutron/agent/l3_agent.py
+++ b/neutron/agent/l3_agent.py
@@ -1445,9 +1445,8 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback,
rules = [('POSTROUTING', '! -i %(interface_name)s '
'! -o %(interface_name)s -m conntrack ! '
'--ctstate DNAT -j ACCEPT' %
- {'interface_name': interface_name})]
- for cidr in internal_cidrs:
- rules.extend(self.internal_network_nat_rules(ex_gw_ip, cidr))
+ {'interface_name': interface_name}),
+ ('snat', '-j SNAT --to-source %s' % ex_gw_ip)]
return rules
def _snat_redirect_add(self, ri, gateway, sn_port, sn_int):
@@ -1560,11 +1559,6 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback,
self.driver.unplug(interface_name, namespace=ri.ns_name,
prefix=INTERNAL_DEV_PREFIX)
- def internal_network_nat_rules(self, ex_gw_ip, internal_cidr):
- rules = [('snat', '-s %s -j SNAT --to-source %s' %
- (internal_cidr, ex_gw_ip))]
- return rules
-
def _create_agent_gateway_port(self, ri, network_id):
"""Create Floating IP gateway port.
---
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1386041/+subscriptions
Follow ups
References