← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2051935] [NEW] [OVN] SNAT only happens for subnets directly connected to a router

 

Public bug reported:

I am trying to achieve the following scenario:

I have a VM attached to a router w/o external gateway (called project-
router) but with a default route which send all the traffic to another
router (transit router) which has an external gateway with snat enabled
and it is connected to a transit network 192.168.100.0/24

My VM is  on 172.16.100.0/24, traffic hits the project-router thanks to
the default route gets redirected to the transit-router correctly, here
it gets into the external gateway but w/o being snat.

This is because in ovn I see that SNAT on this router is only enabled
for logical ip in 192.168.100.0/24 which is the subnet directly
connected to the router

# ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             147.22.16.207                       192.168.100.0/24

But I would like that this router snat all the traffic that hits it,
even when coming from a subnet not directly connected to it.

I can achieve this by setting in ovn the snat for 0.0.0.0/0

# ovn-nbctl lr-nat-add neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 snat
147.22.16.207 0.0.0.0/0

# ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             147.22.16.207                       0.0.0.0/0
snat             147.22.16.207                       192.168.100.0/24

But this workaround can be wiped if I run the neutron-ovn-db-sync-util
on any of the neutron-api unit.

Is there a way to achieve this via OpenStack? If not does it make sense
to have this as a new feature?

** Affects: neutron
     Importance: Undecided
         Status: New

** Affects: neutron (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  I am trying to achieve the following scenario:
  
  I have a VM attached to a router w/o external gateway (called project-
  router) but with a default route which send all the traffic to another
  router (transit router) which has an external gateway with snat enabled
  and it is connected to a transit network 192.168.100.0/24
  
  My VM is  on 172.16.100.0/24, traffic hits the project-router thanks to
  the default route gets redirected to the transit-router correctly, here
  it gets into the external gateway but w/o being snat.
  
- This is because in ovn since in ovn I see that in SNAT on that router is
- only enabled for logical ip in 192.168.100.0/24 which is the subnet
- directly connected to the router
+ This is because in ovn I see that SNAT on this router is only enabled
+ for logical ip in 192.168.100.0/24 which is the subnet directly
+ connected to the router
  
  # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
  snat             147.22.16.207                       192.168.100.0/24
  
  But I would like that this router snat all the traffic that hits it,
  even when coming from a subnet not directly connected to it.
  
  I can achieve this by setting in ovn the snat for 0.0.0.0/0
  
  # ovn-nbctl lr-nat-add neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8 snat
  147.22.16.207 0.0.0.0/0
  
  # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
  snat             147.22.16.207                       0.0.0.0/0
  snat             147.22.16.207                       192.168.100.0/24
  
- 
- But this workaround can be wiped if I run the neutron-ovn-db-sync-util on any of the neutron-api unit.
+ But this workaround can be wiped if I run the neutron-ovn-db-sync-util
+ on any of the neutron-api unit.
  
  Is there a way to achieve this via OpenStack? If not does it make sense
  to have this as a new feature?

** Summary changed:

- [OVN] SNAT only happens for subnets directly connected to the router
+ [OVN] SNAT only happens for subnets directly connected to a router

** Also affects: neutron
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2051935

Title:
  [OVN] SNAT only happens for subnets directly connected to a router

Status in neutron:
  New
Status in neutron package in Ubuntu:
  New

Bug description:
  I am trying to achieve the following scenario:

  I have a VM attached to a router w/o external gateway (called project-
  router) but with a default route which send all the traffic to another
  router (transit router) which has an external gateway with snat
  enabled and it is connected to a transit network 192.168.100.0/24

  My VM is  on 172.16.100.0/24, traffic hits the project-router thanks
  to the default route gets redirected to the transit-router correctly,
  here it gets into the external gateway but w/o being snat.

  This is because in ovn I see that SNAT on this router is only enabled
  for logical ip in 192.168.100.0/24 which is the subnet directly
  connected to the router

  # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
  snat             147.22.16.207                       192.168.100.0/24

  But I would like that this router snat all the traffic that hits it,
  even when coming from a subnet not directly connected to it.

  I can achieve this by setting in ovn the snat for 0.0.0.0/0

  # ovn-nbctl lr-nat-add neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  snat 147.22.16.207 0.0.0.0/0

  # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
  snat             147.22.16.207                       0.0.0.0/0
  snat             147.22.16.207                       192.168.100.0/24

  But this workaround can be wiped if I run the neutron-ovn-db-sync-util
  on any of the neutron-api unit.

  Is there a way to achieve this via OpenStack? If not does it make
  sense to have this as a new feature?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2051935/+subscriptions



Follow ups