neutron

[L3][Port forwarding] multiple floating_ip:port to same internal fixed_ip:port (N-to-1 rule support)

Bug #1922653 reported by LIU Yulong on 2021-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	In Progress	Medium	LIU Yulong

Bug Description

Floating ip port forwradings table has constraints:

TABLE_NAME = 'portforwardings'

    op.create_unique_constraint(
        constraint_name=('uniq_port_forwardings0floatingip_id0'
                         'external_port0protocol'),
        table_name=TABLE_NAME,
        columns=['floatingip_id', 'external_port', 'protocol']
    )
    op.create_unique_constraint(
        constraint_name=('uniq_port_forwardings0internal_neutron_port_id0'
                         'socket0protocol'),
        table_name=TABLE_NAME,
        columns=['internal_neutron_port_id', 'socket', 'protocol']
    )

This allows create port forwardings like:

172.24.4.64:22 -> tcp -> 192.168.111.45:22

It does not support (failed on constraint uniq_port_forwardings0internal_neutron_port_id0socket0protocol):

172.24.4.64:22 -> tcp -> 192.168.111.45:22
172.24.4.64:122 -> tcp -> 192.168.111.45:22
172.24.4.168:22 -> tcp -> 192.168.111.45:22

With some local tests, IMO, all these rules works fine in L3 agent side:

# ip netns exec snat-b247f145-569a-4d5a-bdd8-31a5213641ea conntrack -L |grep "192.168.111.45"
conntrack v1.4.4 (conntrack-tools): 9 flow entries have been shown.
tcp 6 431835 ESTABLISHED src=172.24.4.1 dst=172.24.4.64 sport=53774 dport=122 src=192.168.111.45 dst=172.24.4.1 sport=22 dport=53774 [ASSURED] mark=0 use=1
tcp 6 430336 ESTABLISHED src=172.24.4.1 dst=172.24.4.168 sport=53443 dport=22 src=192.168.111.45 dst=172.24.4.1 sport=22 dport=53443 [ASSURED] mark=0 use=1
tcp 6 431995 ESTABLISHED src=172.24.4.1 dst=172.24.4.64 sport=53781 dport=22 src=192.168.111.45 dst=172.24.4.1 sport=22 dport=53781 [ASSURED] mark=0 use=1

All rules can be used to login (ssh) the VM.

So here, I'd like to remove the constraint uniq_port_forwardings0internal_neutron_port_id0socket0protocol to support these.

Tags:

LIU Yulong (dragon889) on 2021-04-06

summary:

- [L3][Port forwarding] multiple floating_ips to same internal
- fixed_ip:port
+ [L3][Port forwarding] multiple floating_ip:port to same internal
+ fixed_ip:port (N-to-1 rule support)

Revision history for this message

LIU Yulong (dragon889) wrote on 2021-04-06:

Test iptables rules:
Chain neutron-l3-agent-fip-pf (1 references)
pkts bytes target prot opt in out source destination
26078 3295K neutron-l3-agent-pf-12d9bdf5 all -- * * 0.0.0.0/0 0.0.0.0/0
2858 423K neutron-l3-agent-pf-81ef8183 all -- * * 0.0.0.0/0 0.0.0.0/0
594 120K neutron-l3-agent-pf-4155e90a all -- * * 0.0.0.0/0 0.0.0.0/0

Chain neutron-l3-agent-pf-12d9bdf5 (1 references)
pkts bytes target prot opt in out source destination
13 676 DNAT tcp -- * * 0.0.0.0/0 172.24.4.64 tcp dpt:22 to:192.168.111.45:22

Chain neutron-l3-agent-pf-4155e90a (1 references)
pkts bytes target prot opt in out source destination
1 52 DNAT tcp -- * * 0.0.0.0/0 172.24.4.64 tcp dpt:122 to:192.168.111.45:22

Chain neutron-l3-agent-pf-81ef8183 (1 references)
pkts bytes target prot opt in out source destination
2 104 DNAT tcp -- * * 0.0.0.0/0 172.24.4.168 tcp dpt:22 to:192.168.111.45:22

Revision history for this message

Flavio Fernandes (ffernand) wrote on 2021-04-06:

Makes sense, Liu. I never quite understood that restriction.

I can try it on ml2/ovn but I am pretty sure that should not be
a problem at all with that.

Revision history for this message

Miguel Lavalle (minsel) wrote on 2021-04-11:

@Yulong. It seems sensible to me. Are you going to work on it. If yes, please assign the bug to yourself

Changed in neutron:
status:	New → Confirmed
importance:	Undecided → Medium

Slawek Kaplonski (slaweq) on 2021-04-13

tags:

added: l3-dvr-backlog

LIU Yulong (dragon889) on 2021-04-20

Changed in neutron:
assignee:	nobody → LIU Yulong (dragon889)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-21: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/787304

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-22: Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/787474

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-02-08: Change abandoned on neutron (master)

Change abandoned by "liuyulong <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/787304
Reason: Restore if someday we want this.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-02-08: Change abandoned on neutron-tempest-plugin (master)

Change abandoned by "liuyulong <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/787474
Reason: Restore if someday we want this.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.