OpenStack Compute (nova)

snat rule too broad for some network configurations

Bug #1048765 reported by Vish Ishaya
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Vish Ishaya
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

When using an external gateway for fixed ips as mentioned in option 4 here:
http://docs.openstack.org/trunk/openstack-compute/admin/content/existing-ha-networking-options.html

It is possible to setup the gateway to route traffic properly, but the traffic will be snatted by default by nova-network. In many configurations using an external gateway, this is not desired, so there should be a way to disable the snat rule and/or limit it.

There is also an issue with snatting multiple floating ips. Picture the following scenario:

Two floating ip pools 10.1.0.0/24 on vlan10 and 192/168.0.0/24 on vlan11
vm has 10.1.0.2 and 192.168.0.2
all traffic will be routed to one of the two ips (depending on the order they were added)

What should happen:
traffic to flat_interface should not be snatted
traffic to vlan10 should be snatted to 10.1.0.2
traffic to vlan11 should be snatted to 192.168.0.2

See original description
Vish Ishaya (vishvananda)
Changed in nova:
importance: Undecided → High
status: New → In Progress
assignee: nobody → Vish Ishaya (vishvananda)
milestone: none → folsom-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/12727

Vish Ishaya (vishvananda)
summary: - No way to disable snat rule
+ snat rule too broad for some network configurations
description: updated
Vish Ishaya (vishvananda)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/12727
Committed: http://github.com/openstack/nova/commit/959c93f6d3572a189fc3fe73f1811c12323db857
Submitter: Jenkins
Branch: master

commit 959c93f6d3572a189fc3fe73f1811c12323db857
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Sep 10 11:37:39 2012 -0700

    Fixes snat rules in complex networking configs

    There is currently no way to disable nova's snat rule, which causes
    problems for some network configurations with an external gateway.
    This patch allows the snat to be completely disabled by setting
    a blank value for routing_source_ip.

    This patch also makes the snat rule a little more specific, only
    snatting traffic that is destined for the public interface (or
    the floating interface if it is defined). This allows the snat
    to work without changing routing_source_ip and also ensures that
    an instance assigned multiple ips from different floating pools
    will connect from the appropriate address for each pool

    Fixes bug 1048765

    Change-Id: I18be88a3dbb7a9f4762db7beefc94e07b8310100

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-rc1 → 2012.2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/23201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/essex)

Reviewed: https://review.openstack.org/23201
Committed: http://github.com/openstack/nova/commit/3bf5a586de263a063f665db5676460651b3f269a
Submitter: Jenkins
Branch: stable/essex

commit 3bf5a586de263a063f665db5676460651b3f269a
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Sep 10 11:37:39 2012 -0700

    Fixes snat rules in complex networking configs

    There is currently no way to disable nova's snat rule, which causes
    problems for some network configurations with an external gateway.
    This patch allows the snat to be completely disabled by setting
    a blank value for routing_source_ip.

    This patch also makes the snat rule a little more specific, only
    snatting traffic that is destined for the public interface (or
    the floating interface if it is defined). This allows the snat
    to work without changing routing_source_ip and also ensures that
    an instance assigned multiple ips from different floating pools
    will connect from the appropriate address for each pool

    Fixes bug 1048765

    Change-Id: I18be88a3dbb7a9f4762db7beefc94e07b8310100
    (cherry picked from commit 959c93f6d3572a189fc3fe73f1811c12323db857)

Sean Dague (sdague)
no longer affects: nova/essex
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.