[ovn] fip assignment to instance via router with snat disabled is broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned | ||
neutron (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Ubuntu: 20.04
OpenStack: Ussuri
Networking: OVN (20.03.x)
Network topology:
Geneve overlay network for project networks, router has snat disabled and the project network and the external network are all in the same address scope and subnet pool. OVN routers are simply acting as L3 routers and instances on the project network can be directly accessed by the address assigned to their port (with appropriate route configuration in the outside of openstack world).
Issue:
Its possible to create and then associate a floating IP on the external network with an instance attached to the project network - however this does not work - access to the instance via the FIP is broken, as is access to its fixed IP (when this worked OK before).
Thoughts:
The concept of a FIP is very much NAT centric, and in the described configuration NAT is very much disabled. This idea seems to have worked way back in icehouse, however does not work at Ussuri. If this is not a supported network model, the association of the FIP to the instance should error with an appropriate message that NAT is not supported to the in-path router to the external network.
summary: |
- [ovn] fip assignment to router with snat disabled broken + [ovn] fip assignment to instance via router with snat disabled is broken |
description: | updated |
tags: | added: ovn |
Changed in neutron (Ubuntu): | |
status: | New → Incomplete |
As far as I can remember the enable_snat bit in the external_ gateway_ info of a router should only control the generic SNAT-ting of all traffic from internal networks to the external. Support for floating IPs should be orthogonal to the enable_snat bit.
Could you please elaborate on the connectivity test you did? From where and what exactly? Does access to the fixed IP break only when a floating IP is created is it broken when enable_snat is updated to False?
First I need to build an ovn environment to reproduce this.