[Yahoo-eng-team] [Bug 2083527] Re: [OVN] dnat_and_snat rules are setting GATEWAY_PORT when LR pinned to chassis

Mon, 19 May 2025 21:01:23 -0700 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/931495
Committed: 
https://opendev.org/openstack/neutron/commit/7109294ea0785caa33bcc10f1009eecfe850637b
Submitter: "Zuul (22348)"
Branch:    master

commit 7109294ea0785caa33bcc10f1009eecfe850637b
Author: Dmitriy Rabotyagov <dmitriy.rabotya...@cleura.com>
Date:   Fri Oct 4 17:17:31 2024 +0200

    [OVN] Do not supply gateway_port if it's not bound to chassis
    
    There is no reason to define gateway_port explicitly while create NAT
    rules for FIPs in case where LRP is not bound to chassis. Doing so
    will result in broken flows making NAT rules effectivelly ignored.
    
    This is a case, when Logical_Router is pinned to chassis instead of LRP
    
    Closes-Bug: #2083527
    Change-Id: Iafaed72b6ac295db88497e16c54090952c410194


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2083527

Title:
  [OVN] dnat_and_snat rules are setting GATEWAY_PORT when LR pinned to
  chassis

Status in neutron:
  Fix Released

Bug description:
  Description
  ===========

  The problem is that in scenario, where  FIP is created in a geneve
  network, which is marked as access_as_external, has no impact on
  traffic when it's assigned to the another geneve network. So
  dnat_and_snat rules are ignored and only router snat rules are
  respected.

  This happens because dnat_and_snat are provided with GATEWAY_PORT
  which is not pinned to chassis, while Logical_Router is pinned to it
  instead.

  This way even after assigning FIP to the port - it keeps using inner
  LRPs external_gateway instead of Floating IP.

  This regression happened after implementation of the LR pinning to chassis:
  https://review.opendev.org/c/openstack/neutron/+/909194

  which did not account for
  https://review.opendev.org/q/I802b6bd8c281cb6dacdee2e9c15285f069d4e04c

  
  How to reproduce
  ================

  This can be reproduced in AIO/Devstack environment.

  1. Have a "default" public network after deployment
  2. Create a geneve network:
  * openstack network create G-net
  * openstack subnet create --network G-net G-subnet --subnet-range 
192.168.0.0/24
  3. Create the router and connect geneve network with public network
  * openstack router create --external-gateway public G-router
  * openstack router add subnet G-router G-subnet
  4. Ensure you're allowing incoming traffic by default
  * openstack security group rule create default --ingress --remote-ip 0.0.0.0/0
  5. Create a server in geneve network, ensure it has connectivity to the world
  * openstack server create --network G-net --image cirros --flavor tempest 
G-host
  6. Now mark the geneve network as external
  * openstack network rbac create --type network --action access_as_external 
--target-all-projects G-net
  7. Create a new Geneve subnet
  * openstack network create A-net
  * openstack subnet create A-subnet --network A-net --subnet-range 
192.168.5.0/24 --dhcp --gateway 192.168.5.1
  8. Create a router that will connect these 2 geneve networks:
  * openstack router create --external-gateway G-net A-router
  * openstack router add subnet A-router A-subnet
  9. Create a server on a nested geneve network. Ensure it has access to the 
world and to your VM on the upper layer geneve through L3 Router SNAT:
  * openstack server create --network A-net --image cirros --flavor tempest2 
A-host
  10. Create and assign a floating IP to the nested host
  * openstack floating ip create --port $(openstack port list --server A-host 
-f value -c id) G-net
  11. Run tcpdump on G-host and run ping from A-host to G-host.
  12. Run ping from G-host towards A-host FIP

  Current behaviour
  =================

  * Traffic to G-host is coming from L3 router external port rather then from 
FIP adddress.
  * A-host VM is not available through assigned FIP from G-host

  
  Intended behaviour
  ==================

  * Traffic to G-host from A-host is properly SRC-NAT-ed through the assigned 
to the port FIP
  * A-host is reachable from G-host through the FIP

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2083527/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to