yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #86119
[Bug 1922089] Re: [ovn] enable_snat cannot be disabled once enabled
Reviewed: https://review.opendev.org/c/openstack/neutron/+/788485
Committed: https://opendev.org/openstack/neutron/commit/ddc8e625f714aebd65a454f23fedc6d9a9320e89
Submitter: "Zuul (22348)"
Branch: master
commit ddc8e625f714aebd65a454f23fedc6d9a9320e89
Author: Lucas Alvares Gomes <lucasagomes@xxxxxxxxx>
Date: Wed Apr 28 13:41:15 2021 +0100
[OVN] Fix: Disabling snat after it was enabled
This patch removes a conditional check in the update_router() method
which was verifying if snat was enabled in order to update the nat
rules. This check does not make sense in the update method as if snat
was disabled we should still call update_nat_rules() which will then
remove the NAT entry from the OVN NB DB.
Change-Id: Ice20d22365acaf33ee211b1e38b7d0bc151c1ba8
Closes-Bug: #1922089
Signed-off-by: Lucas Alvares Gomes <lucasagomes@xxxxxxxxx>
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1922089
Title:
[ovn] enable_snat cannot be disabled once enabled
Status in neutron:
Fix Released
Status in neutron package in Ubuntu:
Confirmed
Bug description:
Hi,
Using Openstack focal/ussuri - ovn version 20.03.1-0ubuntu1.2 and
neutron 2:16.2.0-0ubuntu2.
If "enable_snat" is enabled on an external gateway on a router, it's
not possible to disable it without completely removing said gateway
from the router.
For example :
I have a subnet called subnet_axino_test - 10.0.100.0/24
I run the following :
$ openstack router create router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
$ openstack router add subnet router_axino_test subnet_axino_test
And so on OVN, I get nothing :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
Now, I enable SNAT :
$ openstack router set --enable-snat --external-gateway net_stg-external router_axino_test
This correctly adds an OVN SNAT entry as follows :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids : {}
external_ip : "A.B.C.D"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
Now, I remove SNAT from the router :
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
I confirm this :
$ openstack router show router_axino_test | grep enable_snat
| external_gateway_info | {"network_id": "4fb8304e-7adb-4cc3-bae5-deb968263eb0", "external_fixed_ips": [{"subnet_id": "60000d47-1e44-41af-8f64-dd802d5c3ddc", "ip_address": "A.B.C.D"}], "enable_snat": false} |
Above, you can see that "enable_snat" is "false". So I would expect OVN to _not_ have a NAT entry. Yet, it does :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids : {}
external_ip : "162.213.34.141"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
The only way to remove SNAT is to completely remove the external gateway from the router, and to re-add it with SNAT disabled :
$ openstack router unset --external-gateway router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
Note that this requires removing all the floating IPs from VMs behind
this router, which obviously makes them unreachable - which is less
than ideal in production.
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1922089/+subscriptions
