yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2106776] [NEW] Unable to enable/disable src_nat per external gateway

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dmitriy Rabotyagov <2106776@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Apr 2025 19:56:08 -0000
Reply-to: Bug 2106776 <2106776@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Description
===========

The usecase is not have multiple external gateways: one for the public
network for instances to reach the internet, and second is the routed
network.

Expectation for instances to be reachable in both the "internal" routed
network as well as through the public floating IP.

Thus, src_nat needs to be disabled for "internal" and enabled for
"public" networks, while both of them added as external_gateways to the
router.

Exactly this scenario is show-cased in API reference:
https://docs.openstack.org/api-ref/network/v2/index.html#add-external-
gateways-to-router

You can see there an example of router `external_gateways` update to
enable_snat for a specific one.

However, while such request is accepted by Neutron, it's never processed as expected, as value of enable_snat is taken only for the "first" external gateway and applied for all the rest.
 

Environment
===========

Ubuntu 24.04
OVN: 25.03
OVS: 3.5.0
Neutron: 26.0.1.dev4
neutron-lib: 3.18.2


How to reproduce
================

openstack network create public --provider-network-type vlan --provider-physical-network vlan --provider-segment 10 --share --external
openstack subnet create --network public --subnet-range 172.29.248.0/22


openstack network create intenral-link --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 190 --share --external
openstack subnet create --network intenral-link intenral-link --subnet-range 192.168.0.0/24

openstack router create --external-gateway public --external-gateway
intenral-link internal

openstack network create private
openstack subnet create --network private private --subnet-range 10.0.0.0/24
openstack router add subnet internal private

curl -H "X-Auth-Token: $token"
http://172.29.236.101:9696/v2.0/routers/ee37797b-961c-4645-85c2-55f74031500f/update_external_gateways
-X PUT -H "Content-Type: application/json" -d '{"router":
{"external_gateways": [{"enable_snat": false, "network_id":
"ab79f236-d790-4d9e-a863-22ee57eb873a", "external_fixed_ips":
[{"subnet_id": "db07cec8-f238-4a45-8442-6eae4867ecb0", "ip_address":
"192.168.0.53"}]}, {"enable_snat": true, "network_id":
"bc638fd7-b1de-47e1-8ace-23fce8bad0c9",
"external_fixed_ips":[{"ip_address": "172.29.249.137", "subnet_id":
"cbefd7b0-cc15-4ca2-8bac-0d50ccd14e31"}]}]}}' | jq

ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
returns empty result.

Change CURL request to the first network to  `"enable_snat": true` and
second one to `"enable_snat": false`

ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
will show snat for both, which is just wrong:

# ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f
TYPE             GATEWAY_PORT          MATCH                 EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP          EXTERNAL_MAC         LOGICAL_PORT
snat                                                         172.29.249.137                      10.0.0.0/24
snat                                                         192.168.0.53                        10.0.0.0/24


Full paste: https://paste.openstack.org/show/bQtuZPAmwDlqVu6noiNY/

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2106776

Title:
  Unable to enable/disable src_nat per external gateway

Status in neutron:
  New

Bug description:
  Description
  ===========

  The usecase is not have multiple external gateways: one for the public
  network for instances to reach the internet, and second is the routed
  network.

  Expectation for instances to be reachable in both the "internal"
  routed network as well as through the public floating IP.

  Thus, src_nat needs to be disabled for "internal" and enabled for
  "public" networks, while both of them added as external_gateways to
  the router.

  Exactly this scenario is show-cased in API reference:
  https://docs.openstack.org/api-ref/network/v2/index.html#add-external-
  gateways-to-router

  You can see there an example of router `external_gateways` update to
  enable_snat for a specific one.

  However, while such request is accepted by Neutron, it's never processed as expected, as value of enable_snat is taken only for the "first" external gateway and applied for all the rest.
   

  Environment
  ===========

  Ubuntu 24.04
  OVN: 25.03
  OVS: 3.5.0
  Neutron: 26.0.1.dev4
  neutron-lib: 3.18.2

  
  How to reproduce
  ================

  openstack network create public --provider-network-type vlan --provider-physical-network vlan --provider-segment 10 --share --external
  openstack subnet create --network public --subnet-range 172.29.248.0/22

  
  openstack network create intenral-link --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 190 --share --external
  openstack subnet create --network intenral-link intenral-link --subnet-range 192.168.0.0/24

  openstack router create --external-gateway public --external-gateway
  intenral-link internal

  openstack network create private
  openstack subnet create --network private private --subnet-range 10.0.0.0/24
  openstack router add subnet internal private

  curl -H "X-Auth-Token: $token"
  http://172.29.236.101:9696/v2.0/routers/ee37797b-961c-4645-85c2-55f74031500f/update_external_gateways
  -X PUT -H "Content-Type: application/json" -d '{"router":
  {"external_gateways": [{"enable_snat": false, "network_id":
  "ab79f236-d790-4d9e-a863-22ee57eb873a", "external_fixed_ips":
  [{"subnet_id": "db07cec8-f238-4a45-8442-6eae4867ecb0", "ip_address":
  "192.168.0.53"}]}, {"enable_snat": true, "network_id":
  "bc638fd7-b1de-47e1-8ace-23fce8bad0c9",
  "external_fixed_ips":[{"ip_address": "172.29.249.137", "subnet_id":
  "cbefd7b0-cc15-4ca2-8bac-0d50ccd14e31"}]}]}}' | jq

  ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
  returns empty result.

  Change CURL request to the first network to  `"enable_snat": true` and
  second one to `"enable_snat": false`

  ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f -
  will show snat for both, which is just wrong:

  # ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f
  TYPE             GATEWAY_PORT          MATCH                 EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP          EXTERNAL_MAC         LOGICAL_PORT
  snat                                                         172.29.249.137                      10.0.0.0/24
  snat                                                         192.168.0.53                        10.0.0.0/24

  
  Full paste: https://paste.openstack.org/show/bQtuZPAmwDlqVu6noiNY/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2106776/+subscriptions