[Bug 1922089] Re: [ovn] enable_snat cannot be disabled once enabled
OpenStack Infra
1922089 at bugs.launchpad.net
Mon May 24 19:45:47 UTC 2021
Reviewed: https://review.opendev.org/c/openstack/neutron/+/792537
Committed: https://opendev.org/openstack/neutron/commit/749d9d6fca70aef005d518e1e4bee183ddd724b1
Submitter: "Zuul (22348)"
Branch: stable/victoria
commit 749d9d6fca70aef005d518e1e4bee183ddd724b1
Author: Lucas Alvares Gomes <lucasagomes at gmail.com>
Date: Wed Apr 28 13:41:15 2021 +0100
[OVN] Fix: Disabling snat after it was enabled
This patch removes a conditional check in the update_router() method
which was verifying if snat was enabled in order to update the nat
rules. This check does not make sense in the update method as if snat
was disabled we should still call update_nat_rules() which will then
remove the NAT entry from the OVN NB DB.
Change-Id: Ice20d22365acaf33ee211b1e38b7d0bc151c1ba8
Closes-Bug: #1922089
Signed-off-by: Lucas Alvares Gomes <lucasagomes at gmail.com>
(cherry picked from commit ddc8e625f714aebd65a454f23fedc6d9a9320e89)
** Tags added: in-stable-victoria
** Tags added: in-stable-ussuri
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1922089
Title:
[ovn] enable_snat cannot be disabled once enabled
Status in neutron:
Fix Released
Status in neutron package in Ubuntu:
Confirmed
Bug description:
Hi,
Using Openstack focal/ussuri - ovn version 20.03.1-0ubuntu1.2 and
neutron 2:16.2.0-0ubuntu2.
If "enable_snat" is enabled on an external gateway on a router, it's
not possible to disable it without completely removing said gateway
from the router.
For example :
I have a subnet called subnet_axino_test - 10.0.100.0/24
I run the following :
$ openstack router create router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
$ openstack router add subnet router_axino_test subnet_axino_test
And so on OVN, I get nothing :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
Now, I enable SNAT :
$ openstack router set --enable-snat --external-gateway net_stg-external router_axino_test
This correctly adds an OVN SNAT entry as follows :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids : {}
external_ip : "A.B.C.D"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
Now, I remove SNAT from the router :
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
I confirm this :
$ openstack router show router_axino_test | grep enable_snat
| external_gateway_info | {"network_id": "4fb8304e-7adb-4cc3-bae5-deb968263eb0", "external_fixed_ips": [{"subnet_id": "60000d47-1e44-41af-8f64-dd802d5c3ddc", "ip_address": "A.B.C.D"}], "enable_snat": false} |
Above, you can see that "enable_snat" is "false". So I would expect OVN to _not_ have a NAT entry. Yet, it does :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc
external_ids : {}
external_ip : "162.213.34.141"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
The only way to remove SNAT is to completely remove the external gateway from the router, and to re-add it with SNAT disabled :
$ openstack router unset --external-gateway router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
Note that this requires removing all the floating IPs from VMs behind
this router, which obviously makes them unreachable - which is less
than ideal in production.
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1922089/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list