** Also affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1922089
Title:
[ovn] enable_snat cannot be disabled once enabled
Status in neutron:
New
Status in neutron package in Ubuntu:
New
Bug description:
Hi,
Using Openstack focal/ussuri - ovn version 20.03.1-0ubuntu1.2 and
neutron 2:16.2.0-0ubuntu2.
If "enable_snat" is enabled on an external gateway on a router, it's
not possible to disable it without completely removing said gateway
from the router.
For example :
I have a subnet called subnet_axino_test - 10.0.100.0/24
I run the following :
$ openstack router create router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external
router_axino_test
$ openstack router add subnet router_axino_test subnet_axino_test
And so on OVN, I get nothing :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
Now, I enable SNAT :
$ openstack router set --enable-snat --external-gateway net_stg-external
router_axino_test
This correctly adds an OVN SNAT entry as follows :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids : {}
external_ip : "A.B.C.D"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
Now, I remove SNAT from the router :
$ openstack router set --disable-snat --external-gateway net_stg-external
router_axino_test
I confirm this :
$ openstack router show router_axino_test | grep enable_snat
| external_gateway_info | {"network_id":
"4fb8304e-7adb-4cc3-bae5-deb968263eb0", "external_fixed_ips": [{"subnet_id":
"60000d47-1e44-41af-8f64-dd802d5c3ddc", "ip_address": "A.B.C.D"}],
"enable_snat": false} |
Above, you can see that "enable_snat" is "false". So I would expect OVN to
_not_ have a NAT entry. Yet, it does :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids : {}
external_ip : "162.213.34.141"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
The only way to remove SNAT is to completely remove the external gateway from
the router, and to re-add it with SNAT disabled :
$ openstack router unset --external-gateway router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external
router_axino_test
Note that this requires removing all the floating IPs from VMs behind
this router, which obviously makes them unreachable - which is less
than ideal in production.
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1922089/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
