Public bug reported: This is actually a follow-up from https://bugs.launchpad.net/neutron/+bug/2077879 as this is having a slightly different use-case then was originally described.
Description =========== The problem is that FIP created in a geneve network, which is marked as access_as_external has no impact on traffic when it's assigned to the another geneve network. So dnat_and_snat rules are ignored and only router snat rules are respected. This way even after assigning FIP to the port - it keeps using inner LRPs external_gateway instead of Floating IP. I'm currently running HEAD of stable/2024.2, so it have both of these patches: * https://review.opendev.org/c/openstack/neutron/+/909194 * https://review.opendev.org/c/openstack/neutron/+/926495 And in /etc/neutron/plugins/ml2/ml2_conf.ini I do have "[ovn]/ovn_router_indirect_snat = True" How to reproduce ================ This can be reproduced in AIO/Devstack environment. 1. Have a "default" public network after deployment 2. Create a geneve network: * openstack network create G-net * openstack subnet create --network G-net G-subnet --subnet-range 192.168.0.0/24 3. Create the router and connect geneve network with public network * openstack router create --external-gateway public G-router * openstack router add subnet G-router G-subnet 4. Ensure you're allowing incoming traffic by default * openstack security group rule create default --ingress --remote-ip 0.0.0.0/0 5. Create a server in geneve network, ensure it has connectivity to the world * openstack server create --network G-net --image cirros --flavor tempest G-host 6. Now mark the geneve network as external * openstack network rbac create --type network --action access_as_external --target-all-projects G-net 7. Create a new Geneve subnet * openstack network create A-net * openstack subnet create A-subnet --network A-net --subnet-range 192.168.5.0/24 --dhcp --gateway 192.168.5.1 8. Create a router that will connect these 2 geneve networks: * openstack router create --external-gateway G-net A-router * openstack router add subnet A-router A-subnet 9. Create a server on a nested geneve network. Ensure it has access to the world and to your VM on the upper layer geneve through L3 Router SNAT: * openstack server create --network A-net --image cirros --flavor tempest2 A-host 10. Create and assign a floating IP to the nested host * openstack floating ip create --port $(openstack port list --server A-host -f value -c id) G-net 11. Run tcpdump on G-host and run ping from A-host to G-host. 12. Run ping from G-host towards A-host FIP Current behaviour ================= * Traffic to G-host is coming from L3 router external port rather then from FIP adddress. * A-host VM is not available through assigned FIP from G-host Intended behaviour ================== * Traffic to G-host from A-host is properly SRC-NAT-ed through the assigned to the port FIP * A-host is reachable from G-host through the FIP ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2083527 Title: [OVN] FIPs are not respected in nested networks Status in neutron: New Bug description: This is actually a follow-up from https://bugs.launchpad.net/neutron/+bug/2077879 as this is having a slightly different use-case then was originally described. Description =========== The problem is that FIP created in a geneve network, which is marked as access_as_external has no impact on traffic when it's assigned to the another geneve network. So dnat_and_snat rules are ignored and only router snat rules are respected. This way even after assigning FIP to the port - it keeps using inner LRPs external_gateway instead of Floating IP. I'm currently running HEAD of stable/2024.2, so it have both of these patches: * https://review.opendev.org/c/openstack/neutron/+/909194 * https://review.opendev.org/c/openstack/neutron/+/926495 And in /etc/neutron/plugins/ml2/ml2_conf.ini I do have "[ovn]/ovn_router_indirect_snat = True" How to reproduce ================ This can be reproduced in AIO/Devstack environment. 1. Have a "default" public network after deployment 2. Create a geneve network: * openstack network create G-net * openstack subnet create --network G-net G-subnet --subnet-range 192.168.0.0/24 3. Create the router and connect geneve network with public network * openstack router create --external-gateway public G-router * openstack router add subnet G-router G-subnet 4. Ensure you're allowing incoming traffic by default * openstack security group rule create default --ingress --remote-ip 0.0.0.0/0 5. Create a server in geneve network, ensure it has connectivity to the world * openstack server create --network G-net --image cirros --flavor tempest G-host 6. Now mark the geneve network as external * openstack network rbac create --type network --action access_as_external --target-all-projects G-net 7. Create a new Geneve subnet * openstack network create A-net * openstack subnet create A-subnet --network A-net --subnet-range 192.168.5.0/24 --dhcp --gateway 192.168.5.1 8. Create a router that will connect these 2 geneve networks: * openstack router create --external-gateway G-net A-router * openstack router add subnet A-router A-subnet 9. Create a server on a nested geneve network. Ensure it has access to the world and to your VM on the upper layer geneve through L3 Router SNAT: * openstack server create --network A-net --image cirros --flavor tempest2 A-host 10. Create and assign a floating IP to the nested host * openstack floating ip create --port $(openstack port list --server A-host -f value -c id) G-net 11. Run tcpdump on G-host and run ping from A-host to G-host. 12. Run ping from G-host towards A-host FIP Current behaviour ================= * Traffic to G-host is coming from L3 router external port rather then from FIP adddress. * A-host VM is not available through assigned FIP from G-host Intended behaviour ================== * Traffic to G-host from A-host is properly SRC-NAT-ed through the assigned to the port FIP * A-host is reachable from G-host through the FIP To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2083527/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
