yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2083527] [NEW] [OVN] FIPs are not respected in nested networks

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dmitriy Rabotyagov <2083527@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Oct 2024 14:51:37 -0000
Reply-to: Bug 2083527 <2083527@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

This is actually a follow-up from
https://bugs.launchpad.net/neutron/+bug/2077879 as this is having a
slightly different use-case then was originally described.


Description
===========

The problem is that FIP created in a geneve network, which is marked as
access_as_external has no impact on traffic when it's assigned to the
another geneve network. So dnat_and_snat rules are ignored and only
router snat rules are respected.

This way even after assigning FIP to the port - it keeps using inner
LRPs external_gateway instead of Floating IP.

I'm currently running HEAD of stable/2024.2, so it have both of these patches:
* https://review.opendev.org/c/openstack/neutron/+/909194
* https://review.opendev.org/c/openstack/neutron/+/926495

And in /etc/neutron/plugins/ml2/ml2_conf.ini I do have
"[ovn]/ovn_router_indirect_snat = True"


How to reproduce
================

This can be reproduced in AIO/Devstack environment.

1. Have a "default" public network after deployment
2. Create a geneve network:
* openstack network create G-net
* openstack subnet create --network G-net G-subnet --subnet-range 192.168.0.0/24
3. Create the router and connect geneve network with public network
* openstack router create --external-gateway public G-router
* openstack router add subnet G-router G-subnet
4. Ensure you're allowing incoming traffic by default
* openstack security group rule create default --ingress --remote-ip 0.0.0.0/0
5. Create a server in geneve network, ensure it has connectivity to the world
* openstack server create --network G-net --image cirros --flavor tempest G-host
6. Now mark the geneve network as external
* openstack network rbac create --type network --action access_as_external --target-all-projects G-net
7. Create a new Geneve subnet
* openstack network create A-net
* openstack subnet create A-subnet --network A-net --subnet-range 192.168.5.0/24 --dhcp --gateway 192.168.5.1
8. Create a router that will connect these 2 geneve networks:
* openstack router create --external-gateway G-net A-router
* openstack router add subnet A-router A-subnet
9. Create a server on a nested geneve network. Ensure it has access to the world and to your VM on the upper layer geneve through L3 Router SNAT:
* openstack server create --network A-net --image cirros --flavor tempest2 A-host
10. Create and assign a floating IP to the nested host
* openstack floating ip create --port $(openstack port list --server A-host -f value -c id) G-net
11. Run tcpdump on G-host and run ping from A-host to G-host.
12. Run ping from G-host towards A-host FIP

Current behaviour
=================

* Traffic to G-host is coming from L3 router external port rather then from FIP adddress.
* A-host VM is not available through assigned FIP from G-host


Intended behaviour
==================

* Traffic to G-host from A-host is properly SRC-NAT-ed through the assigned to the port FIP
* A-host is reachable from G-host through the FIP

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2083527

Title:
  [OVN] FIPs are not respected in nested networks

Status in neutron:
  New

Bug description:
  This is actually a follow-up from
  https://bugs.launchpad.net/neutron/+bug/2077879 as this is having a
  slightly different use-case then was originally described.

  
  Description
  ===========

  The problem is that FIP created in a geneve network, which is marked
  as access_as_external has no impact on traffic when it's assigned to
  the another geneve network. So dnat_and_snat rules are ignored and
  only router snat rules are respected.

  This way even after assigning FIP to the port - it keeps using inner
  LRPs external_gateway instead of Floating IP.

  I'm currently running HEAD of stable/2024.2, so it have both of these patches:
  * https://review.opendev.org/c/openstack/neutron/+/909194
  * https://review.opendev.org/c/openstack/neutron/+/926495

  And in /etc/neutron/plugins/ml2/ml2_conf.ini I do have
  "[ovn]/ovn_router_indirect_snat = True"


  How to reproduce
  ================

  This can be reproduced in AIO/Devstack environment.

  1. Have a "default" public network after deployment
  2. Create a geneve network:
  * openstack network create G-net
  * openstack subnet create --network G-net G-subnet --subnet-range 192.168.0.0/24
  3. Create the router and connect geneve network with public network
  * openstack router create --external-gateway public G-router
  * openstack router add subnet G-router G-subnet
  4. Ensure you're allowing incoming traffic by default
  * openstack security group rule create default --ingress --remote-ip 0.0.0.0/0
  5. Create a server in geneve network, ensure it has connectivity to the world
  * openstack server create --network G-net --image cirros --flavor tempest G-host
  6. Now mark the geneve network as external
  * openstack network rbac create --type network --action access_as_external --target-all-projects G-net
  7. Create a new Geneve subnet
  * openstack network create A-net
  * openstack subnet create A-subnet --network A-net --subnet-range 192.168.5.0/24 --dhcp --gateway 192.168.5.1
  8. Create a router that will connect these 2 geneve networks:
  * openstack router create --external-gateway G-net A-router
  * openstack router add subnet A-router A-subnet
  9. Create a server on a nested geneve network. Ensure it has access to the world and to your VM on the upper layer geneve through L3 Router SNAT:
  * openstack server create --network A-net --image cirros --flavor tempest2 A-host
  10. Create and assign a floating IP to the nested host
  * openstack floating ip create --port $(openstack port list --server A-host -f value -c id) G-net
  11. Run tcpdump on G-host and run ping from A-host to G-host.
  12. Run ping from G-host towards A-host FIP

  Current behaviour
  =================

  * Traffic to G-host is coming from L3 router external port rather then from FIP adddress.
  * A-host VM is not available through assigned FIP from G-host

  
  Intended behaviour
  ==================

  * Traffic to G-host from A-host is properly SRC-NAT-ed through the assigned to the port FIP
  * A-host is reachable from G-host through the FIP

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2083527/+subscriptions