[ovn] enable_snat cannot be disabled once enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Lucas Alvares Gomes | ||
neutron (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Hi,
Using Openstack focal/ussuri - ovn version 20.03.1-0ubuntu1.2 and neutron 2:16.2.0-0ubuntu2.
If "enable_snat" is enabled on an external gateway on a router, it's not possible to disable it without completely removing said gateway from the router.
For example :
I have a subnet called subnet_axino_test - 10.0.100.0/24
I run the following :
$ openstack router create router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
$ openstack router add subnet router_axino_test subnet_axino_test
And so on OVN, I get nothing :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
Now, I enable SNAT :
$ openstack router set --enable-snat --external-gateway net_stg-external router_axino_test
This correctly adds an OVN SNAT entry as follows :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-
external_ids : {}
external_ip : "A.B.C.D"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
Now, I remove SNAT from the router :
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
I confirm this :
$ openstack router show router_axino_test | grep enable_snat
| external_
Above, you can see that "enable_snat" is "false". So I would expect OVN to _not_ have a NAT entry. Yet, it does :
$ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24
_uuid : a65cc4b8-
external_ids : {}
external_ip : "162.213.34.141"
external_mac : []
logical_ip : "10.131.100.0/24"
logical_port : []
options : {}
type : snat
The only way to remove SNAT is to completely remove the external gateway from the router, and to re-add it with SNAT disabled :
$ openstack router unset --external-gateway router_axino_test
$ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test
Note that this requires removing all the floating IPs from VMs behind this router, which obviously makes them unreachable - which is less than ideal in production.
Thanks
tags: | added: ovn |
Changed in neutron: | |
assignee: | nobody → Lucas Alvares Gomes (lucasagomes) |
Changed in neutron (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: neutron-proactive-backport-potential |
Sorry for the slow reaction. Thanks for the bug report. I was able to reproduce the bug by your instructions - with traffic too.