Feature request: check SNAT disable before exposing tenant networks
Bug #2052292 reported by
Michel Nederlof
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ovn-bgp-agent |
Fix Released
|
High
|
Michel Nederlof |
Bug Description
If SNAT on the router is enabled, then the subnet is reachable from the outside, but all new sessions created from within the subnet will be SNAT-ed.
So those sessions will use the external IP of the router.
This would impose issues, as for example whitelisting specific tenant ips would not be possible.
With SNAT disabled, the neutron router will act as a normal gateway, and sessions created from within a tenant vm will be sent from the real ip of the instance.
Changed in ovn-bgp-agent: | |
assignee: | nobody → Michel Nederlof (mnederlof) |
Changed in ovn-bgp-agent: | |
status: | New → In Progress |
Changed in ovn-bgp-agent: | |
importance: | Undecided → High |
To post a comment you must log in.
Reviewed: https:/ /review. opendev. org/c/openstack /ovn-bgp- agent/+ /907068 /opendev. org/openstack/ ovn-bgp- agent/commit/ 326ec402306fe2b 90097a6441e2594 041e3a0242
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 326ec402306fe2b 90097a6441e2594 041e3a0242
Author: Michel Nederlof <email address hidden>
Date: Mon Jan 29 15:38:04 2024 +0100
Add feature to check if SNAT disabled before exposing tenant networks
If SNAT on the router is enabled, then the subnet is reachable
from the outside, but all new sessions created from within the subnet
will be SNAT-ed. So those sessions will use the external IP of the router.
For example whitelisting specific tenant ips would not be possible.
With SNAT disabled, the neutron router will act as a normal gateway, and
sessions created from within a tenant vm will be sent from the real ip.
Closes-Bug: #2052292 69195278fea8042 56370d21816
Change-Id: Ib97065fb2fcca0