ovn-bgp-agent

Feature request: check SNAT disable before exposing tenant networks

Bug #2052292 reported by Michel Nederlof
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ovn-bgp-agent
Fix Released
High
Michel Nederlof

Bug Description

If SNAT on the router is enabled, then the subnet is reachable from the outside, but all new sessions created from within the subnet will be SNAT-ed.

So those sessions will use the external IP of the router.

This would impose issues, as for example whitelisting specific tenant ips would not be possible.

With SNAT disabled, the neutron router will act as a normal gateway, and sessions created from within a tenant vm will be sent from the real ip of the instance.

Michel Nederlof (mnederlof)
Changed in ovn-bgp-agent:
assignee: nobody → Michel Nederlof (mnederlof)
OpenStack Infra (hudson-openstack)
Changed in ovn-bgp-agent:
status: New → In Progress
Luis Tomas Bolivar (ltomasbo)
Changed in ovn-bgp-agent:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ovn-bgp-agent (master)

Reviewed: https://review.opendev.org/c/openstack/ovn-bgp-agent/+/907068
Committed: https://opendev.org/openstack/ovn-bgp-agent/commit/326ec402306fe2b90097a6441e2594041e3a0242
Submitter: "Zuul (22348)"
Branch: master

commit 326ec402306fe2b90097a6441e2594041e3a0242
Author: Michel Nederlof <email address hidden>
Date: Mon Jan 29 15:38:04 2024 +0100

    Add feature to check if SNAT disabled before exposing tenant networks

    If SNAT on the router is enabled, then the subnet is reachable
    from the outside, but all new sessions created from within the subnet
    will be SNAT-ed. So those sessions will use the external IP of the router.
    For example whitelisting specific tenant ips would not be possible.

    With SNAT disabled, the neutron router will act as a normal gateway, and
    sessions created from within a tenant vm will be sent from the real ip.

    Closes-Bug: #2052292
    Change-Id: Ib97065fb2fcca069195278fea804256370d21816

Changed in ovn-bgp-agent:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ovn-bgp-agent (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/ovn-bgp-agent/+/910487

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ovn-bgp-agent (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/ovn-bgp-agent/+/910487
Committed: https://opendev.org/openstack/ovn-bgp-agent/commit/968e84a628e3017cc7db330b2623f8cee84baddb
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 968e84a628e3017cc7db330b2623f8cee84baddb
Author: Michel Nederlof <email address hidden>
Date: Mon Jan 29 15:38:04 2024 +0100

    Add feature to check if SNAT disabled before exposing tenant networks

    If SNAT on the router is enabled, then the subnet is reachable
    from the outside, but all new sessions created from within the subnet
    will be SNAT-ed. So those sessions will use the external IP of the router.
    For example whitelisting specific tenant ips would not be possible.

    With SNAT disabled, the neutron router will act as a normal gateway, and
    sessions created from within a tenant vm will be sent from the real ip.

    Closes-Bug: #2052292
    Change-Id: Ib97065fb2fcca069195278fea804256370d21816

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ovn-bgp-agent 2.0.0.0rc1

This issue was fixed in the openstack/ovn-bgp-agent 2.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.