[Bug 1924776] Re: [ovn] use of address scopes does not automatically disable router snat

Tore Anderson 1924776 at bugs.launchpad.net
Thu Dec 4 12:02:53 UTC 2025 

This can be reproduced easily in OpenStack 2025.1 «Epoxy», using the
following commands:

#
# Step 1: create a router connected to the common external network «Internet»
#

$ openstack router create --external-gateway Internet bug1924776-repro-router -c external_gateway_info -f yaml
external_gateway_info:
  enable_snat: true
  external_fixed_ips:
  - ip_address: 185.47.41.213
    subnet_id: 9a4e51b5-aaeb-4c20-b788-c1a3514bea34
  - ip_address: 2a02:c0:1:99::1f
    subnet_id: 945e0883-0af4-49cb-b650-318508a335ca
  network_id: e6ff1cc8-59d6-433e-ac9a-cdbe4293c2e9

#
# Step 2: create a tenant network with an IPv4 subnet and connect it to the router created in the previous step
#

$ openstack network create bug1924776-repro-network
$ openstack subnet create --network bug1924776-repro-network --subnet-pool ipv4-public bug1924776-repro-subnet4
$ openstack router add subnet bug1924776-repro-router bug1924776-repro-subnet4


#
# Step 3: verify that the IPv4 address scopes are identical on the external and tenant networks
#

$ openstack network show Internet -c ipv4_address_scope -c ipv6_address_scope -f yaml
ipv4_address_scope: b01a2375-6fbd-4acc-aaf6-0bd93b26dc30
ipv6_address_scope: a544c852-e573-4177-9c93-37caf6a292fe
$ openstack network show bug1924776-repro-network -c ipv4_address_scope -c ipv6_address_scope -f yaml
ipv4_address_scope: b01a2375-6fbd-4acc-aaf6-0bd93b26dc30
ipv6_address_scope: null

#
# Step 4: create a VM on the tenant network and check its externally visible IPv4 address
#

$ openstack server create --flavor gXcd.small --image AlmaLinux-9 --network bug1924776-repro-network --key-name tore --wait bug1924776-repro-server -c addresses -f yaml
addresses:
  bug1924776-repro-network:
  - 87.238.40.101
$ ssh almalinux at 87.238.40.101 curl -s http://icanhazip.com
185.47.41.213


Note how the external IP address displayed by the "what is my IP" service is that of the router, i.e.,  the one displayed in the output from step 1. This mean the traffic was subjected to SNAT, even though the IPv4 address scopes shown in step 3 matched.

The expectation is that the external IP address would be the one
directly configured on the VM, here 87.238.40.101. This expected
behaviour of not applying SNAT when address scopes match is clearly
documented at https://docs.openstack.org/neutron/2025.1/admin/config-
address-scopes.html:

«Because all addresses allocated in the address scope do not overlap,
neutron routers do not NAT between your projects’ network and your
external network. As long as the addresses within an address scope
match, the Networking service performs simple routing between networks.»

Another thing worth pointing out is that the IPv6 address scopes do not
match above, because the external «Internet» network is dual-stacked,
while the repro tenant network created is single-stacked. I did this to
make the test case as minimal as possible. One would not expect IPv6
addressing to have any impact on SNAT behaviour, as this is an IPv4-only
feature. Nevertheless,  I also tested an adjusted procedure where I
added IPv6 to the tenant network as well, and the bug is still in
effect:

$ openstack subnet create --network bug1924776-repro-network --subnet-pool ipv6 --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac bug1924776-repro-subnet6
$ openstack router add subnet bug1924776-repro-router bug1924776-repro-subnet6
$ openstack network show bug1924776-repro-network -c ipv4_address_scope -c ipv6_address_scope -f yaml
ipv4_address_scope: b01a2375-6fbd-4acc-aaf6-0bd93b26dc30
ipv6_address_scope: a544c852-e573-4177-9c93-37caf6a292fe
$ openstack server create --flavor gXcd.small --image AlmaLinux-9 --network bug1924776-repro-network --key-name tore --wait bug1924776-repro-server -c addresses -f yaml

addresses:
  bug1924776-repro-network:
  - 87.238.40.100
  - 2a02:c0:1001:4303:f816:3eff:feaa:4c70
$ ssh almalinux at 87.238.40.100 curl -s http://icanhazip.com
2a02:c0:1001:4303:f816:3eff:feaa:4c70
$ ssh almalinux at 87.238.40.100 curl -s http://icanhazip.com -4
185.47.41.221

Tore

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1924776

Title:
  [ovn] use of address scopes does not automatically disable router snat

Status in neutron:
  New
Status in neutron package in Ubuntu:
  Confirmed

Bug description:
  OpenStack Ussuri
  OVN 20.03.x
  Ubuntu 20.04

  When multiple networks/subnets are attached to a router which all form
  part of the same subnet pool and associated address scope SNAT is not
  automatically disabled to support routing between the subnets attached
  to the router.

  Ensuring the router is created with SNAT disabled resolves this issue
  but that's an extra non-obvious step for a cloud admin/end user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1924776/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list