yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95730
[Bug 2106776] [NEW] Unable to enable/disable src_nat per external gateway
Public bug reported:
Description
===========
The usecase is not have multiple external gateways: one for the public
network for instances to reach the internet, and second is the routed
network.
Expectation for instances to be reachable in both the "internal" routed
network as well as through the public floating IP.
Thus, src_nat needs to be disabled for "internal" and enabled for
"public" networks, while both of them added as external_gateways to the
router.
Exactly this scenario is show-cased in API reference:
https://docs.openstack.org/api-ref/network/v2/index.html#add-external-
gateways-to-router
You can see there an example of router `external_gateways` update to
enable_snat for a specific one.
However, while such request is accepted by Neutron, it's never processed as expected, as value of enable_snat is taken only for the "first" external gateway and applied for all the rest.
Environment
===========
Ubuntu 24.04
OVN: 25.03
OVS: 3.5.0
Neutron: 26.0.1.dev4
neutron-lib: 3.18.2
How to reproduce
================
openstack network create public --provider-network-type vlan --provider-physical-network vlan --provider-segment 10 --share --external
openstack subnet create --network public --subnet-range 172.29.248.0/22
openstack network create intenral-link --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 190 --share --external
openstack subnet create --network intenral-link intenral-link --subnet-range 192.168.0.0/24
openstack router create --external-gateway public --external-gateway
intenral-link internal
openstack network create private
openstack subnet create --network private private --subnet-range 10.0.0.0/24
openstack router add subnet internal private
curl -H "X-Auth-Token: $token"
http://172.29.236.101:9696/v2.0/routers/ee37797b-961c-4645-85c2-55f74031500f/update_external_gateways
-X PUT -H "Content-Type: application/json" -d '{"router":
{"external_gateways": [{"enable_snat": false, "network_id":
"ab79f236-d790-4d9e-a863-22ee57eb873a", "external_fixed_ips":
[{"subnet_id": "db07cec8-f238-4a45-8442-6eae4867ecb0", "ip_address":
"192.168.0.53"}]}, {"enable_snat": true, "network_id":
"bc638fd7-b1de-47e1-8ace-23fce8bad0c9",
"external_fixed_ips":[{"ip_address": "172.29.249.137", "subnet_id":
"cbefd7b0-cc15-4ca2-8bac-0d50ccd14e31"}]}]}}' | jq
ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
returns empty result.
Change CURL request to the first network to `"enable_snat": true` and
second one to `"enable_snat": false`
ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
will show snat for both, which is just wrong:
# ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f
TYPE GATEWAY_PORT MATCH EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
snat 172.29.249.137 10.0.0.0/24
snat 192.168.0.53 10.0.0.0/24
Full paste: https://paste.openstack.org/show/bQtuZPAmwDlqVu6noiNY/
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2106776
Title:
Unable to enable/disable src_nat per external gateway
Status in neutron:
New
Bug description:
Description
===========
The usecase is not have multiple external gateways: one for the public
network for instances to reach the internet, and second is the routed
network.
Expectation for instances to be reachable in both the "internal"
routed network as well as through the public floating IP.
Thus, src_nat needs to be disabled for "internal" and enabled for
"public" networks, while both of them added as external_gateways to
the router.
Exactly this scenario is show-cased in API reference:
https://docs.openstack.org/api-ref/network/v2/index.html#add-external-
gateways-to-router
You can see there an example of router `external_gateways` update to
enable_snat for a specific one.
However, while such request is accepted by Neutron, it's never processed as expected, as value of enable_snat is taken only for the "first" external gateway and applied for all the rest.
Environment
===========
Ubuntu 24.04
OVN: 25.03
OVS: 3.5.0
Neutron: 26.0.1.dev4
neutron-lib: 3.18.2
How to reproduce
================
openstack network create public --provider-network-type vlan --provider-physical-network vlan --provider-segment 10 --share --external
openstack subnet create --network public --subnet-range 172.29.248.0/22
openstack network create intenral-link --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 190 --share --external
openstack subnet create --network intenral-link intenral-link --subnet-range 192.168.0.0/24
openstack router create --external-gateway public --external-gateway
intenral-link internal
openstack network create private
openstack subnet create --network private private --subnet-range 10.0.0.0/24
openstack router add subnet internal private
curl -H "X-Auth-Token: $token"
http://172.29.236.101:9696/v2.0/routers/ee37797b-961c-4645-85c2-55f74031500f/update_external_gateways
-X PUT -H "Content-Type: application/json" -d '{"router":
{"external_gateways": [{"enable_snat": false, "network_id":
"ab79f236-d790-4d9e-a863-22ee57eb873a", "external_fixed_ips":
[{"subnet_id": "db07cec8-f238-4a45-8442-6eae4867ecb0", "ip_address":
"192.168.0.53"}]}, {"enable_snat": true, "network_id":
"bc638fd7-b1de-47e1-8ace-23fce8bad0c9",
"external_fixed_ips":[{"ip_address": "172.29.249.137", "subnet_id":
"cbefd7b0-cc15-4ca2-8bac-0d50ccd14e31"}]}]}}' | jq
ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
returns empty result.
Change CURL request to the first network to `"enable_snat": true` and
second one to `"enable_snat": false`
ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
will show snat for both, which is just wrong:
# ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f
TYPE GATEWAY_PORT MATCH EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
snat 172.29.249.137 10.0.0.0/24
snat 192.168.0.53 10.0.0.0/24
Full paste: https://paste.openstack.org/show/bQtuZPAmwDlqVu6noiNY/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2106776/+subscriptions