[RFE] Add support for local SNAT

Will each compute node occupy one external network IP in the "LOCAL SNAT" mode?

What will the router gateway(disable snat) work in "LOCAL SNAT" mode?

Compute node may use one external network IP (more simple case) or existing provider network IP but different routing rules will be required in both cases.

I propose that 'disable-snat' will be a limiting setting for 'Local SNAT' as well. If cloud admin set 'disable-snat' for some router - SNAT traffic should be disabled in all computer nodes for all relevant internal networks this router is connected to.

As a side note: 'Local SNAT' mode could use either manual setting for chosen compute node/s and have a client API for this. Or use automatic mode (detect external network) with configuration enabled option.

This has some up before, there are basically three different modes of burning IPs for SNAT.

Single IP per router: Current model used by Neutron.

Single IP per compute node: This seems to be what you are implying in this request, but it's completely incompatible with the current L3 API because there is nothing that makes any sense to put in the external gateway field for a router.

Single IP per (router,compute node) pair. This is much more feasible because IPs are still scoped to the router (which is also important for tenant traffic attribution) so it can modeled as multiple fixed IPs per gateway if we want.

I would only be in favor of the option to burn an IP per (router,compute node) pair. The single IP per compute node doesn't fit the API.

Kevin, thank you for the clear description of possible implementation modes. I agree that current RFE refer to more general case - single IP per compute node. However I already have a reference implementation that suits to - single IP per (router, compute node) pair which was a kind of phase one step to more general case described in RFE.

In reference implementation there is a slight addition in existing neutron router API that allows to 'burn' IP for (compute node, router) pair exactly as you described.

Reference implementation based in neutron/mitaka is here:
   https://github.com/igor-toga/local-snat/tree/local-snat/neutron

Neutron client API support:
   https://github.com/igor-toga/python-neutronclient

As Kevin said, this has come up time and time again (e.g. bug 1467471), and I have seen many etherpads coming up (e.g. https://etherpad.openstack.org/p/decentralized-snat). The IP per router,compute couple is doable but it burns IP addresses. I suppose with the service-type [1]
extension this issue can be somewhat mitigated, but it was enough to make past proposals to crash and burn.

[1] https://specs.openstack.org/openstack/neutron-specs/specs/newton/subnet-service-types.html

This also seems related to https://bugs.launchpad.net/neutron/+bug/1577488 ([RFE]"Fast exit" for compute node egress flows when using DVR), which has two related patches. That is basically allowing egress from the FIP namespace when the internal/external address scopes are the same. There is no SNAT taking place there, just forwarding, so NAT would need to happen upstream of the neutron router.

@Igor,

can you propose the patch as a gerrit review to the master branch so we can assess the complexity of the implementation?

Bear in mind that a fresh patch based off of master is only the first step to assess the feasibility of this effort. Maintenance, testing and documentation of the new architectural option for SNAT must be something that the Neutron team will have to sign up for. Currently we are stretched thin and we are more than happy to scout for volunteers. @Igor: are you ready for this long term commitment? :)

I reviewed [RFE]"Fast exit" and related master based patch: https://review.openstack.org/#/c/283757/.
'Fast exit' implementation uses very close concept to my own reference implementation. While I used agent gateway addresses based on API manual set, 'Fast exit RFE' uses advanced neutron support of separate ip address pools per service type and takes gateway address from a dedicated pool.

My patch is less 'baked' compared to 'Fast exit' so I feel that bringing fresh patch to master will produce less benefit than reviewing and contributing to more 'baked' solution that 'walks' the same way.

@Igor,

Based on your latest comment, should we scrap this RFE?

On the short term I will not be able to handle this RFE due to other commitments.

BTW:
'Single IP per compute node' solution was recently merged into DragonFlow big tent project
https://review.openstack.org/#/c/431422/

Moving to postponed for now since we don't have someone to write the DVR changes and don't have the bandwidth to review it for Pike.

Bug closed due to lack of activity, please feel free to reopen if needed.