← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #75979

[Bug 1805456] [NEW] [DVR] Neutron doesn't configure multiple external subnets for one network properly

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Bug originally reported for RHOSP: https://bugzilla.redhat.com/show_bug.cgi?id=1651647 by Alex Stupnikov.
Original description:

It is possible to create two subnets for single external network and it
looks like we support such kind of setup. However, it doesn't work
properly: every DVR will have a single on-link route for ONLY ONE
external subnet and will not have on-link route for another one.

As a result, there are two scenarios when routing doesn't work as it
should:

- two instances with FIPs from different external subnets will have asymmetric traffic flows: if there is an on-link route for DST packet, it will be routed directly to another DVR. If not, packet will be routed to external router. As a result, if there is a stateful firewall on external router, this communication will be blocked.
- two instances with FIPs from the same external subnet could have suboptimal traffic flows if there are no on-link routes for this subnet. As a result, traffic will always go through external router, which could cause issues if router has protection against such kind of flows.

Here is an example output of routing table in fip-* namespace on compute
node where single external network has two subnets: 10.0.0.0/24 and
10.0.1.0/24:

default via 10.0.0.1 dev fg-83ec5f16-be table 2852022899 
10.0.0.0/24 dev fg-83ec5f16-be proto kernel scope link src 10.0.0.225 
10.0.0.218 via 169.254.106.114 dev fpr-789f245b-1 
10.0.0.219 via 169.254.106.114 dev fpr-789f245b-1 
10.0.1.15 via 169.254.106.114 dev fpr-789f245b-1

As we can see, there are host routes for local FIPs, a single on-link
route for 10.0.0.0/24 subnet and default route.


Additional information:

An upstream bug for legacy routers [1] was solved long time ago.

[1] https://bugs.launchpad.net/neutron/+bug/1312467

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: l3-dvr-backlog

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1805456

Title:
  [DVR] Neutron doesn't configure multiple external subnets for one
  network properly

Status in neutron:
  Confirmed

Bug description:
  Bug originally reported for RHOSP: https://bugzilla.redhat.com/show_bug.cgi?id=1651647 by Alex Stupnikov.
  Original description:

  It is possible to create two subnets for single external network and
  it looks like we support such kind of setup. However, it doesn't work
  properly: every DVR will have a single on-link route for ONLY ONE
  external subnet and will not have on-link route for another one.

  As a result, there are two scenarios when routing doesn't work as it
  should:

  - two instances with FIPs from different external subnets will have asymmetric traffic flows: if there is an on-link route for DST packet, it will be routed directly to another DVR. If not, packet will be routed to external router. As a result, if there is a stateful firewall on external router, this communication will be blocked.
  - two instances with FIPs from the same external subnet could have suboptimal traffic flows if there are no on-link routes for this subnet. As a result, traffic will always go through external router, which could cause issues if router has protection against such kind of flows.

  Here is an example output of routing table in fip-* namespace on
  compute node where single external network has two subnets:
  10.0.0.0/24 and 10.0.1.0/24:

  default via 10.0.0.1 dev fg-83ec5f16-be table 2852022899 
  10.0.0.0/24 dev fg-83ec5f16-be proto kernel scope link src 10.0.0.225 
  10.0.0.218 via 169.254.106.114 dev fpr-789f245b-1 
  10.0.0.219 via 169.254.106.114 dev fpr-789f245b-1 
  10.0.1.15 via 169.254.106.114 dev fpr-789f245b-1

  As we can see, there are host routes for local FIPs, a single on-link
  route for 10.0.0.0/24 subnet and default route.

  
  Additional information:

  An upstream bug for legacy routers [1] was solved long time ago.

  [1] https://bugs.launchpad.net/neutron/+bug/1312467

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1805456/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next