can't connect external network using default snat from tenant network
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Itsuro Oda | ||
Juno |
Invalid
|
Medium
|
Hirofumi Ichihara |
Bug Description
See the following example:
---
----
|
| 192.168.10.10
+---+---+
| r1 | routes [{nexthop: 10.0.0.2, destination: 20.0.0.0/24}]
+---+---+
| 10.0.0.1
|
---
|
| 10.0.0.2
| r2 | routes [{nexthop: 10.0.0.1, destination: 0.0.0.0/0}]
| 20.0.0.1
|
---
---
Users want to access external network from tenant network2 using default SNAT but can't access.
(tenant network2 is connected to r1 indirectly and set routes properly.)
Users can access external network only from tenant network1 (it is directly connected to r1) currently.
I think it is a bug since this restriction is unnecessary.
It is easy to fix. How about this ?
---
diff --git a/neutron/
index ff8ad47..097fa36 100644
--- a/neutron/
+++ b/neutron/
@@ -1445,9 +1445,8 @@ class L3NATAgent(
rules = [('POSTROUTING', '! -i %(interface_name)s '
- {'interface_name': interface_name})]
- for cidr in internal_cidrs:
- rules.extend(
+ {'interface_name': interface_name}),
+ ('snat', '-j SNAT --to-source %s' % ex_gw_ip)]
return rules
def _snat_redirect_
@@ -1560,11 +1559,6 @@ class L3NATAgent(
- def internal_
- rules = [('snat', '-s %s -j SNAT --to-source %s' %
- (internal_cidr, ex_gw_ip))]
- return rules
-
def _create_
"""Create Floating IP gateway port.
---
tags: | added: l3-ipam-dhcp |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in neutron: | |
assignee: | nobody → Itsuro Oda (oda-g) |
tags: | added: juno-backport-potential |
tags: | removed: juno-backport-potential |
Changed in neutron: | |
milestone: | none → kilo-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | kilo-1 → 2015.1.0 |
I think this is the limitation from the initial commit of l3-agent, and it sounds reasonable to relax this limitation to provide more flexibility of the topology of virtual networks.
Regarding the solution mentioned in the bug report,
+ ('snat', '-j SNAT --to-source %s' % ex_gw_ip)]
seems a bit dangerous because this rule tries to apply SNAT for all traffic. Generally speaking we should have more strict match rule to avoid any side effect.
I have not checked the detail behavior of SNAT rules in l3-agent, but it is worth investigated what traffic matches the SNAT rule. IMHO it is better to examine from what interfaces traffic come or similar things. I am afraid traffic from local or traffic handled by OpenSwan are affected by the rule.