[Bug 2051935] Re: [OVN] SNAT only happens for subnets directly connected to a router

Ilia Baikov 2051935 at bugs.launchpad.net
Tue Jul 30 22:37:52 UTC 2024 

Hello, Giuseppe Petralia
Your submission is completely right. Just found out that SNAT not working when forwarded to another attached network. My use case is to connect instance to management vlan using routers. With ML2/OVS it works perfect (1 router for private network for instances, 1 router for vlan network where management devices). Also probably static routes are ignored.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/2051935

Title:
  [OVN] SNAT only happens for subnets directly connected to a router

Status in neutron:
  In Progress
Status in neutron package in Ubuntu:
  New

Bug description:
  I am trying to achieve the following scenario:

  I have a VM attached to a router w/o external gateway (called project-
  router) but with a default route which send all the traffic to another
  router (transit router) which has an external gateway with snat
  enabled and it is connected to a transit network 192.168.100.0/24

  My VM is  on 172.16.100.0/24, traffic hits the project-router thanks
  to the default route gets redirected to the transit-router correctly,
  here it gets into the external gateway but w/o being snat.

  This is because in ovn I see that SNAT on this router is only enabled
  for logical ip in 192.168.100.0/24 which is the subnet directly
  connected to the router

  # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
  snat             147.22.16.207                       192.168.100.0/24

  But I would like that this router snat all the traffic that hits it,
  even when coming from a subnet not directly connected to it.

  I can achieve this by setting in ovn the snat for 0.0.0.0/0

  # ovn-nbctl lr-nat-add neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  snat 147.22.16.207 0.0.0.0/0

  # ovn-nbctl lr-nat-list neutron-6d1e6bb7-3949-43d1-8dac-dc55155b9ad8
  TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
  snat             147.22.16.207                       0.0.0.0/0
  snat             147.22.16.207                       192.168.100.0/24

  But this workaround can be wiped if I run the neutron-ovn-db-sync-util
  on any of the neutron-api unit.

  Is there a way to achieve this via OpenStack? If not does it make
  sense to have this as a new feature?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2051935/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list