Non snated packet should be blocked
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Low
|
Unassigned |
Bug Description
Some deployments would like to use only floating ip to communicate with outside of tenant via external network.
However, in current neutron, when running "neutron router-gateway-set" with specified router's "enable_snat" is false, then non-SNAT'ed packets can arrive at other tenant via external-network. The packets don't pass through other tenant's gateway, but take extra load to external network.
The packet should be NAT'ed when flowing on external network. Non-SNAT'ed packets don't need to flow on external network.
Therefore, non-SNAT'ed packets should be dropped at inside of own tenant.
I will fix as follows:
* The router is Legacy mode and enable_snat is True:
No change from current implementation.
* The router is Legacy mode and enable_snat is False:
Add new rule for dropping outbound non-SNAT'ed packets.
* The router is DVR mode and enable_snat is True:
No change from current implementation.
* The router is Legacy mode and enable_snat is False:
Don't create SNAT name space.
Changed in neutron: | |
assignee: | nobody → Takanori Miyagishi (miyagishi-t) |
description: | updated |
Changed in neutron: | |
status: | Opinion → New |
description: | updated |
Changed in neutron: | |
importance: | Undecided → Wishlist |
tags: | added: rfe |
Changed in neutron: | |
status: | New → In Progress |
There is a use case where SNAT is disabled on a Neutron router and there are upstream routes for tenant networks using the Neutron router as the next hop. What you're proposing would break that use case.
Also, enabling/disabling snat on a router is an admin-only function according to policy.json:
"create_ router: external_ gateway_ info:enable_ snat": "rule:admin_only", router: external_ gateway_ info:enable_ snat": "rule:admin_only",
"update_
This is a non-issue for non-admin users/tenants.