Rocky DVR-SNAT seems missing entries for conntrack marking
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hello,
I've been playing with Rocky on CentOS 7 with DVR / DVR-SNAT / BGP. Our provider network uses private IP-space for scalability. Our tenants run in public IP-space.
Steps:
openstack network create --share --provider-
openstack subnet create --network NET-EXT-
openstack bgp speaker add network BGP-REFLECTOR-
openstack address scope create --share --ip-version 4 SCOPE-SHARED-VFOUR
openstack subnet pool create --pool-prefix 93.115.169.128/25 --address-scope SCOPE-SHARED-VFOUR POOL-SHARED-
openstack subnet pool set --default-
openstack network create --share NET-INT-
openstack subnet create --network NET-INT-
openstack bgp speaker add network BGP-REFLECTOR-
openstack router create ROUTER-SHARED
openstack router set ROUTER-SHARED --disable-snat --external-gateway NET-EXT-
openstack router add subnet ROUTER-SHARED SUBNET-
openstack bgp speaker list advertised routes BGP-REFLECTOR-
Result:
+------
| Destination | Nexthop |
+------
| 93.115.169.128/28 | 192.0.2.6 |
+------
Where 192.0.2.6 is the IP in the SNAT instance on the DVR-SNAT network node. So far things seem good however it seems my egress traffic is blocked. I'm not 100% sure it's not caused by misconfiguration but I found the two lines to get traffic flowing in my config:
https:/
was rewritten to "dont_block_
-> This would allow traffic to go egress into the provider network
https:/
-> I need that connmark/mark restore rule to have ingress replies match the existing connections.
Validate:
ip netns exec $(ip netns | grep snat | awk '{ print $1}') iptables -t mangle -L neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
508 27174 CONNMARK all -- * qg-b075d908-66 0.0.0.0/0 0.0.0.0/0 connmark match 0x0/0xffff0000 CONNMARK save mask 0xffff0000
1 entry
ip netns exec $(ip netns | grep snat | awk '{ print $1}') iptables -t filter -L neutron-
Chain neutron-
pkts bytes target prot opt in out source destination
6588 350K DROP all -- * sg-c46c9df8-06 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4010000/
1 entry (instead of two before)
Changed in neutron: | |
status: | New → Incomplete |
tags: | added: l3-dvr-backlog |
This could be a mis-configuration.
The address scopes of the internal and external subnets don't match, so I don't believe the proper iptables rules will be installed.
From the top part of https:/ /docs.openstack .org/neutron/ stein/admin/ config- address- scopes. html (rocky has similar wording), it says:
3. Make sure that subnets on an external network are created from the subnet pools created above:
So they're using the same subnetpool to create a subnet for the external network as the internal ones, which should result in the same address scope on each.
If that doesn't help, please update the bug and we'll have to do further triage.