[dvr] enable_snat attribute is ignored - centralized snat port gets created
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
OpenStack Queens from UCA (xenial, GA kernel), 2 external subnets (one routed provider network), 1 tenant subnet added to a router.
Tenant subnet cidr: 192.168.100.0/24
Relevant agent configs:
http://
Commands and outputs:
http://
Although a router is created with --disable-snat and enable_snat is shown as set to "false"
openstack router set --disable-snat --external-gateway pubnet --enable pubrouter
a centralized snat port is still created for that router:
| device_owner | network:
I suspect this is because _create_
https:/
Additionally, when agent mode is dvr_snat an snat-<vrouter-id> network namespace gets created unconditionally by virtue of DvrEdgeRouter usage:
https:/
https:/
It seems that right now there is a tight dependency on having a dvr_snat node in a deployment so even if only fast exit(/entry) functionality is intended to be used, there is no way to completely disable SNAT.
A gateway port is still required to be bound to a dvr_snat node, however, DvrEdgeRouter could operate differently depending on whether enable_snat is actually true (to handle updates to this attribute). In this case a router_
tags: | added: l3-dvr-backlog |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Yes your understanding is right. Today there is a tight dependency on the SNAT namespace when a gateway is attached.
The _create_ snat_interfaces _after_ change creates SNAT interface ports. This is basically required for the compute node traffic to reach the gateway.( Basically required now for the 'dvr_no_external' agents.
Basically the 'enable_snat' or 'disable_snat' should be only targeting the SNAT rules in the SNAT namespace. Otherwise this should be intact.