neutron

Non snated packet should be blocked

Bug #1518296 reported by Takanori Miyagishi on 2015-11-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Low	Unassigned

Bug Description

Some deployments would like to use only floating ip to communicate with outside of tenant via external network.

However, in current neutron, when running "neutron router-gateway-set" with specified router's "enable_snat" is false, then non-SNAT'ed packets can arrive at other tenant via external-network. The packets don't pass through other tenant's gateway, but take extra load to external network.

The packet should be NAT'ed when flowing on external network. Non-SNAT'ed packets don't need to flow on external network.

Therefore, non-SNAT'ed packets should be dropped at inside of own tenant.

I will fix as follows:

* The router is Legacy mode and enable_snat is True:
No change from current implementation.

* The router is Legacy mode and enable_snat is False:
Add new rule for dropping outbound non-SNAT'ed packets.

* The router is DVR mode and enable_snat is True:
No change from current implementation.

* The router is Legacy mode and enable_snat is False:
Don't create SNAT name space.

See original description

Takanori Miyagishi (miyagishi-t) on 2015-11-20

Changed in neutron:
assignee:	nobody → Takanori Miyagishi (miyagishi-t)
description:	updated

Revision history for this message

James Denton (james-denton) wrote on 2015-11-20:

There is a use case where SNAT is disabled on a Neutron router and there are upstream routes for tenant networks using the Neutron router as the next hop. What you're proposing would break that use case.

Also, enabling/disabling snat on a router is an admin-only function according to policy.json:

"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",

This is a non-issue for non-admin users/tenants.

Revision history for this message

Takanori Miyagishi (miyagishi-t) wrote on 2015-12-03:

I think it is useless that non-NAT'ed packet flows on external network from tenant network because the destination can't handle private IP of sender. Therefore, my opinion is the use case occurs when private IP is NAT'ed to public IP.

So, as I wrote in Bug Description, the current behavior that non-NAT'ed packet flows on external network is an issue. I'd like to fix this.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-25: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/272059

Changed in neutron:
status:	New → In Progress

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2016-02-23:

If you have SNAT disabled and don't want traffic to flow onto the external network, why would you attach an interface to the external network in the first place?

Changed in neutron:
status:	In Progress → Opinion

Kevin Benton (kevinbenton) on 2016-02-23

Changed in neutron:
status:	Opinion → New

Takanori Miyagishi (miyagishi-t) on 2016-02-23

description:

updated

Dariusz Smigiel (smigiel-dariusz) on 2016-02-23

Changed in neutron:
importance:	Undecided → Wishlist
tags:	added: rfe

Revision history for this message

Takanori Miyagishi (miyagishi-t) wrote on 2016-02-24:

Hi Dariusz Smigiel,
Could you tell the reason for adding tag "rfe"?
I think this is just a bug.

Revision history for this message

Dariusz Smigiel (smigiel-dariusz) wrote on 2016-02-26:

Hey Takanori Miyagishi,
My mistake. I had wrong belief that it's something new.

Thank you for updating description for this.

tags:	removed: rfe
Changed in neutron:
importance:	Wishlist → Low

OpenStack Infra (hudson-openstack) on 2016-03-14

Changed in neutron:
status:	New → In Progress

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2016-04-12:

This will break the use case that James pointed out. We can't just disable all non-SNAT traffic because the router on the external network could have routes pointing back to the tenant router for the tenant's networks.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-27: Change abandoned on neutron (master)

Change abandoned by Takanori Miyagishi (<email address hidden>) on branch: master
Review: https://review.openstack.org/272059

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2017-02-01:

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee:	Takanori Miyagishi (miyagishi-t) → nobody
status:	In Progress → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-02:

#10

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.