[ML2/OVN] DGP/Floating IP issue - no flows for chassis gateway port
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Roberto Bartzen Acosta |
Bug Description
Hello everyone.
I noticed a problem with DGP feature when configured by OpenStack Neutron using multiple external (provider) subnets.
For example, the OpenStack external provider network has multiple subnets, such as:
subnet1: 172.16.10.0/24
subnet2: 172.16.20.0/24
When the Logical Router attaches the external gateway port to this network, only one subnet is configured (static or dinamically), e.g. IP address = 172.16.10.1/24.
If the Floating IP assigned for some VM uses the same subnet range as the router's IP network, the dnat_and_snat rule will be created correctly and inbound/outbound traffic will work. However, when the Floating IP uses the other one subnet (not on the same network of the external router port), the dnat_and_snat is not created and we can see the warning message in the log as below:
2023-09-
This problem occurs because Neutron has not configured the "gateway-port" param in the OVN NAT rule. In this case, the northd [1] automatically obtains the gateway port using the external IP from the NAT rule and the external network configured on the OVN logical router. This issue was introduced with these commits [1][2] and affect ML2/OVN backend since OVN version 21.09.
This problem was discussed on the ovs-discuss mailing list [3], but technically it seems to me that it is a required change in the CMS to guarantee the creation of FIP flows without having to rely on OVN to automatically discover the gateway port.
If OVN is using Distributed Gateway Port on the router, the FIP created by Neutron will not work due to lack of openflow flows to the gateway port:
Before set the gateway_port:
ovn-nbctl lr-nat-list 078fd69b-
TYPE GATEWAY_PORT EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
dnat_and_snat 172.16.20.10 10.0.0.232
snat 172.16.10.41 10.0.0.0/24
ovn-sbctl lflow-list | grep 172.16.20.10
table=
table=
table=
table=
table=3 (lr_in_ip_input ), priority=90 , match=(arp.op == 1 && arp.tpa == 172.16.20.10), action=(eth.dst = eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;)
table=
After set the gateway_port:
ovn-nbctl lr-nat-list 078fd69b-
TYPE GATEWAY_PORT EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
dnat_and_snat lrp-bb89ed8d-a60d- 172.16.20.10 10.0.0.232
snat 172.16.10.41 10.0.0.0/24
ovn-sbctl lflow-list | grep 172.16.20.10
table=
table=
table=
table=
table=3 (lr_in_ip_input ), priority=92 , match=(inport == "lrp-bb89ed8d-
table=3 (lr_in_ip_input ), priority=91 , match=(inport == "lrp-bb89ed8d-
table=3 (lr_in_ip_input ), priority=90 , match=(arp.op == 1 && arp.tpa == 172.16.20.10), action=(eth.dst = eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;)
table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.16.20.10 && inport == "lrp-bb89ed8d-
table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.16.20.10 && inport == "lrp-bb89ed8d-
table=7 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst == 172.16.20.10 && inport == "lrp-bb89ed8d-
table=
table=
table=0 (lr_out_
table=3 (lr_out_snat ), priority=162 , match=(ip && ip4.src == 10.0.0.232 && outport == "lrp-bb89ed8d-
table=3 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.232 && outport == "lrp-bb89ed8d-
table=5 (lr_out_egr_loop ), priority=100 , match=(ip4.dst == 172.16.20.10 && outport == "lrp-bb89ed8d-
table=
Basically, after the change [2], OVN allows operation without setting the NAT rule gateway_port for a very restricted use cases and Neutron ends up being vulnerable to different OVN architectures (using DGP, for example). If Neutron configured the gateway_port parameter on NAT rule command it would work, but the issue is that Neutron never configured this before and automatically gateway port discovery may break the working of FIPs.
My suggestion is that Neutron adds this column when creating/updating FIP rules (if the OVN backend supports this column in the Northbound DB Schema), and updating the previously existing dnat_and_snat entries (FIPs) to set the gateway_port in the maintenance task (once time).
[1] https:/
[2] https:/
[3] https:/
Changed in neutron: | |
assignee: | nobody → Roberto Bartzen Acosta (rbartzen) |
tags: | added: ovn |
Thank you for the bug Roberto. I would categorize this bug as a feature request for the Neutron. Is the OVN change breaking some existing functionality?