[Bug 1922089] [NEW] [ovn] enable_snat cannot be disabled once enabled

Junien Fridrick 1922089 at bugs.launchpad.net
Wed Mar 31 13:22:03 UTC 2021 

Public bug reported:

Hi,

Using Openstack focal/ussuri - ovn version 20.03.1-0ubuntu1.2 and
neutron 2:16.2.0-0ubuntu2.

If "enable_snat" is enabled on an external gateway on a router, it's not
possible to disable it without completely removing said gateway from the
router.

For example :
I have a subnet called subnet_axino_test - 10.0.100.0/24
I run the following :

$ openstack router create router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
$ openstack router add subnet router_axino_test subnet_axino_test

And so on OVN, I get nothing :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24

Now, I enable SNAT :
$ openstack router set --enable-snat --external-gateway net_stg-external router_axino_test

This correctly adds an OVN SNAT entry as follows :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24

_uuid               : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids        : {}
external_ip         : "A.B.C.D"
external_mac        : []
logical_ip          : "10.131.100.0/24"
logical_port        : []
options             : {}
type                : snat

Now, I remove SNAT from the router :
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test

I confirm this :
$ openstack router show router_axino_test | grep enable_snat
| external_gateway_info   | {"network_id": "4fb8304e-7adb-4cc3-bae5-deb968263eb0", "external_fixed_ips": [{"subnet_id": "60000d47-1e44-41af-8f64-dd802d5c3ddc", "ip_address": "A.B.C.D"}], "enable_snat": false} |

Above, you can see that "enable_snat" is "false". So I would expect OVN to _not_ have a NAT entry. Yet, it does :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24

_uuid               : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids        : {}
external_ip         : "162.213.34.141"
external_mac        : []
logical_ip          : "10.131.100.0/24"
logical_port        : []
options             : {}
type                : snat

The only way to remove SNAT is to completely remove the external gateway from the router, and to re-add it with SNAT disabled :
$ openstack router unset --external-gateway router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test

Note that this requires removing all the floating IPs from VMs behind
this router, which obviously makes them unreachable - which is less than
ideal in production.

Thanks

** Affects: neutron (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1922089

Title:
  [ovn] enable_snat cannot be disabled once enabled

Status in neutron package in Ubuntu:
  New

Bug description:
  Hi,

  Using Openstack focal/ussuri - ovn version 20.03.1-0ubuntu1.2 and
  neutron 2:16.2.0-0ubuntu2.

  If "enable_snat" is enabled on an external gateway on a router, it's
  not possible to disable it without completely removing said gateway
  from the router.

  For example :
  I have a subnet called subnet_axino_test - 10.0.100.0/24
  I run the following :

  $ openstack router create router_axino_test
  $ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
  $ openstack router add subnet router_axino_test subnet_axino_test

  And so on OVN, I get nothing :
  $ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24

  Now, I enable SNAT :
  $ openstack router set --enable-snat --external-gateway net_stg-external router_axino_test

  This correctly adds an OVN SNAT entry as follows :
  $ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24

  _uuid               : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
  external_ids        : {}
  external_ip         : "A.B.C.D"
  external_mac        : []
  logical_ip          : "10.131.100.0/24"
  logical_port        : []
  options             : {}
  type                : snat

  Now, I remove SNAT from the router :
  $ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test

  I confirm this :
  $ openstack router show router_axino_test | grep enable_snat
  | external_gateway_info   | {"network_id": "4fb8304e-7adb-4cc3-bae5-deb968263eb0", "external_fixed_ips": [{"subnet_id": "60000d47-1e44-41af-8f64-dd802d5c3ddc", "ip_address": "A.B.C.D"}], "enable_snat": false} |

  Above, you can see that "enable_snat" is "false". So I would expect OVN to _not_ have a NAT entry. Yet, it does :
  $ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24

  _uuid               : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
  external_ids        : {}
  external_ip         : "162.213.34.141"
  external_mac        : []
  logical_ip          : "10.131.100.0/24"
  logical_port        : []
  options             : {}
  type                : snat

  The only way to remove SNAT is to completely remove the external gateway from the router, and to re-add it with SNAT disabled :
  $ openstack router unset --external-gateway router_axino_test
  $ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test

  Note that this requires removing all the floating IPs from VMs behind
  this router, which obviously makes them unreachable - which is less
  than ideal in production.

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1922089/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list